Privacy Policy

(Version 10.2., Date 19.02.2025)In this Privacy Policy, N26 Bank SE (hereinafter: “N26”, “we”, “our”) shall inform you about the collection, use and processing of personal data when using our website https://n26.com (hereinafter: “Website”), our web application (hereinafter: “Web App”) and our mobile app (hereinafter: “App”) and our social media pages (jointly: “Services”). We will explicitly point out in case any information of this Privacy Policy refers exclusively to any of our Services. For information related to the usage of cookies or similar technologies on our Website, Web App or App, please refer to the respective Website and App Cookie Policies in the Legal Documents section of your App or on our Website. In this context, personal data means all detailed information about personal or factual circumstances of a specific or identifiable natural person, such as name, telephone number or address. We process your personal data either within our business relation if you are a N26 customer or when you are visiting our Website for informative purposes, when you are interacting with our social media pages or if you get in touch with us. Furthermore, we process personal data coming from publicly accessible sources (e.g. records of debtors, trade registers, registers of associations, media, press, internet) whenever we have a legal ground that allows us to do so. When using additional N26 products or products of our business partners additional personal data might be collected, processed and stored. Please find details concerning the processing of additional data in the respective product category below.

I. Controller, processors and joint or separate controllers

The responsible entity for the collection, processing and use of your personal data is:N26 Bank SE Voltairestraße 8 10179 BerlinN26 has appointed a Data Protection Officer, who is accessible via dpo@n26.com.You will find more detailed information regarding N26 in the imprint.Some of our data processing activities can be carried out by a third party on behalf of N26. Where processing of personal data is carried out on behalf of N26, we conclude a separate contract with the processor in accordance with Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “GDPR”). Our list of processors includes pure data processors, meaning technical service providers, which fall under the following categories:

IT infrastructure and connection providers
IT security providers
Software and software maintenance providers, including for the provision of our App
Back office management service providers
Cloud infrastructure service providers
Financial services, payments and transaction processing service providers
Customer relationship management providers
KYC providers
Customer support providers
Fraud prevention service providers and identification service providers
Payment cards service providers
Account switching service providers
Ad service providers
Address verification providers
Information/Documentation automation, management & destruction service providers
Customer reach/impact assessment providers
Consultancy companies
Analytical software/platform providers

You will also come across specific data processors which are expressly indicated to you when you use our Services. We understand that these specific data processors can be of interest to you in case you want to exercise, before them, your rights in accordance with the GDPR. These specific data processors are also mentioned in this Privacy Policy for each product or service.N26 can transmit your personal data to other entities such as other financial institutions, regulatory and supervisory authorities as well as public and governmental bodies and agencies, including addition to that the ECB (European Central Bank), the EBA (European Banking Authority), the German Federal Bank, the BaFin (German Federal Financial Supervisory Authority) among other entities, who will act as separate data controllers of your personal data, for the purposes of:

Enforcement of claims and defense within legal disputes, based on the legitimate interest of N26 Bank of exercising its right of defense before courts/competent authorities;
Complying with legal obligations regarding regulatory, tax and anti-money laundering reporting requirements;
Fraud prevention, based on the legitimate interest of N26 not to contract or provide services to any potential customer related to fraud;
Preventing criminal acts, based on the legitimate interest of N26 not to contract or provide services to any potential customer related to any crimes.

N26 can transmit your data to external lawyers, advisors and consultants, who are separate controllers and bound to professional confidentiality, for the purposes described above.Furthermore, N26 will transmit your personal data to third parties, meaning other data controllers of your personal data, if that is triggered by you in the framework of the provision of our Services to you. Specific separate controllers will be indicated for each processing activity in more detail in the following sections of our Privacy Policy. Additionally, we may be joint controllers together with the respective Social Media Network (as defined in section VII below). for specific processing activities. This is expressly indicated below together with information on the respective responsibilities of each controller, whenever applicable.

II. Data processing purposes and legal basis

We process your personal data in accordance with the GDPR and any national legislation including but not limited to the German Federal Data Protection Act (hereinafter: “Data Protection Regulation”).In compliance with such Data Protection Regulation, N26 will only process your personal data if at least one of the following legal bases applies, as detailed in section III. below regarding our specific data processing activities:

The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6 (1) b) GDPR) Personal data is processed to conduct financial services and banking transactions in order to fulfill our pre-contractual and contractual obligations.
The data subject has given consent to the processing of his or her personal data for one or more specific purposes (Art. 6 (1) a) GDPR) In case you gave your consent to the processing of your personal data for specific purposes, the processing is permitted on the legal basis of your consent. Your consent is revocable at any time, as described in section X. below.
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Art. 6 (1) f) GDPR)

We process your personal data in order to pursue our legitimate interests or the legitimate interests of a third party, where those legitimate interests override any of your rights and the data processing activities are necessary to satisfy such legitimate interests. In such cases, we have carried out a legitimate interest assessment, where those legitimate interests, impact and guarantees have been analyzed. Those cases are the following:

Improving our processes and service levels relating to the provision of banking services, based on the legitimate interest of N26 of improving its internal processes and services offered to customers and improving the customer experience.
Direct marketing for N26 products and partnership offers, based on the legitimate interest of N26 to send customers relevant information about updates to existing products, the launch of new products as well as products which are offered together with partners and promotions, including market and opinion analysis. For this purpose, we use customer segmentation. In individual cases, the processing for customer segmentation may constitute profiling.
Sending customers relevant information related to their usage of N26 products and services, as far as necessary to provide such information. For this purpose, we use customer segmentation. In individual cases, the processing for customer segmentation may constitute profiling.
Improving the user experience for our Fan Page visitors on our Social Media Pages (as defined below in section VII.) in a target group-oriented manner and offering competitions and giveaways for marketing purposes on our Social Media Pages.
Enforcement of claims and defense within legal disputes, based on the legitimate interest of N26 of exercising its right of defense before courts/competent authorities.
To ensure IT security, based on the legitimate interest of N26 to ensure the security of the IT infrastructure used to provide its services and products.
Fraud prevention, based on the legitimate interest of N26 not to contract or provide services to any potential customer related to fraud.
To prevent criminal acts, based on the legitimate interest of N26 not to contract or provide services to any potential customer related to any crimes.
Risk management within the N26 Group, based on the legitimate interest of N26 of managing the financial risk that it can take with regard to performing financial services.
To conduct and produce anonymised statistical research and reports, based on the legitimate interest of N26 to conduct research and analysis regarding the use customers make of the products and features provided by N26.
Product analysis which may include the analysis of your user behaviour in relation to certain products and promotional offers, based on the legitimate interest of N26 to develop, test and optimise products and services. If possible, the data is anonymised in the first step, i.e. personal data is no longer processed afterwards. In individual cases, the processing may constitute profiling.
Processing is necessary for compliance with a legal obligation to which the controller is subject (Art. 6 (1) c) GDPR)

N26 is subject to several legal obligations as well as regulatory requirements which require N26 to process personal data, including for purposes of verification of your identity and age, prevention of money laundering and fraud, taking part to judicial proceedings or as part of judicial and police activities, verification of your credit risk rating, control and reporting obligations based on provisions of the supervisory authorities, tax laws and risk assessment of N26. Such obligations derive from the applicable banking legislation and regulatory requirements, including from the Anti Money Laundering Laws, Laws on Countering of Terrorism Financing, Banking Laws, Tax Laws as well as other binding measures on financial matters.

III. Data processing within the framework of N26 products

1. Data collection and processing in case of opening and using the N26 account

Personal data related to your identification, contact data, economic data and finance data will be processed by N26 for the purpose of opening an account with N26 (hereinafter: “Sign-up”) and using the Services of N26. The legal basis of the processing of these data is Art. 6 (1) b) GDPR. These data include the following personal data:

First name and surname
Date of birth
Place of birth
Nationality
Email address
Legal address
Mobile telephone number
Tax-ID and tax residence
Occupation
Gender
Identification document including type of identification document, issue date, document number and issuing authority
Data concerning your economic situation and your N26 products and services usage history which are your IBAN, customer ID, card details, transaction details (card payment and banking transfer amounts and recipients) based on products and services contracted with N26.

Please note that it is not possible to open an account, if you do not provide your personal data as mentioned above. In order to process transactions, N26 receives personal data and transfers personal data according to the applicable legal and regulatory framework to payers, recipients and other financial institutions. The personal data received by other entities in this regard concerns your name and surname, including transaction details like the payment reference and registered IBAN.During the creation of your N26 account we will need access to your geolocation upon your consent in the settings of your smartphone; you will find further information in the privacy policy of the operating system of your smartphone. The lawful basis of this processing is our legitimate interests in confirming that you are located in your country of residence in order for us to comply with our legal obligations related to fraud prevention (Art. 6 (1) f) GDPR). For more information on the legitimate interest as a legal basis for processing data, please see section II. above. In addition, we might ask you to submit additional documents for verification. The lawful basis of this processing is Art. 6 (1) c) GDPR as the processing is required to comply with legal obligations stemming from Anti Money Laundering and Countering of Terrorism laws. What personal data we will be processing depends on the document we are requesting and receiving from you. Such documents can be a proof of residence (such as a gas, water or electricity bill less than 3 months old or a registration certificate), a proof of salary (such as an employment contract, salary statement or statement of assets and income; in case you send us one of the two latter ones, we ask you to please black out any data related to your religious beliefs and family status, if provided therein), your visa documentation or proof of study which states the reason why you live in the country indicated by you as country of residence, or a document attesting your source of wealth (contracts, bank statements, information around asset sales, capital gains or inheritance). Once you send us any of the mentioned documents they will be assessed manually by N26 to verify and confirm that we have all the data about you that we need in order to open your account with us or to allow you to continue using our Services. In case the information you sent us upon our request is not sufficient, we will reach out to you and ask you for more documentation, which is equally subject to the above mentioned.

2. Data collection and processing in case of opening and using a N26 Joint Account

In order to facilitate Joint Accounts we have to process the personal data mentioned in the preceding Section (Sec. III. 1). Additionally:

When you open the Joint Account:

To start managing your money together with another N26 Customer, you can either set up a Joint Account and invite another N26 Customer to join you or, alternatively, you can accept an invitation from another N26 Customer to join as owner of a Joint Account set up by that Customer. In order to let other N26 Customers find you (so they can invite you), or to let them know that you have joined N26 and are ready to join a Joint Account, you have to make yourself “visible” and allow access to your contact list. Notwithstanding, you can still invite other members even if you are not visible. You can find more information on this in Sec. III. 3 and 4, below. Should you be the one creating a Joint Account, please note that when you invite another customer to join a Joint Account, your contact details will be shared with the invitee, as an additional security step, for the purpose of fraud prevention.

When you own the account together with another N26 Customer:

Both account holders are equal owners of the account and both are entitled to have individual access to all personal data and transactions related to that Joint Account, including transactions made by the other member on the Joint Account. There will be no access from the other account holder to your data related to your other existing N26 account(s). The processing of data in the context of creating and using a Joint Account is necessary for the execution of the agreement between N26 and you and the other account holder (Art. 6 (1) b) GDPR), and also for the purposes of the legitimate interests pursued by N26 to comply with our legal obligations related to money laundering and fraud prevention (Art. 6 (1) f) GDPR). For more information on the legitimate interest as a legal basis for processing data, please see Section II. above. For information about personal data transmitted to SCHUFA, please see section V. below.

3. Data processing within the framework of MoneyBeam

The MoneyBeam service is available to you within the framework of the use of our account. You can send money via MoneyBeam to the contacts from your mobile device who are also N26 customers without knowing their bank details. In order to facilitate MoneyBeam, we have to process data from sender and recipient, as well as certain transaction data, based on the execution of our agreement with you, according to Art. 6 (1) b) GDPR. Transaction data are the same as for a normal bank transfer, with the difference that no IBAN is required, but only an email address or phone number, and that no data is transmitted to third parties. In order to use MoneyBeam, customers have to make themselves “visible” as N26 customers and allow access to their mobile device’s contact list. To enable this, N26 will access the contacts stored on your mobile device. N26 shall only access your stored contacts if you previously consent to this. Please find more information in section III.4. below.

4. Visibility as an N26 customer when using certain N26 features

In the context of using certain N26 features like MoneyBeam, Request from friends, Shared Spaces, Split the Bill or Money QR Code, we ask for your consent, according to Art. 6 (1) a) GDPR, to be visible to other N26 customers as an N26 customer. By granting N26 permission to share your status as an N26 customer, we can display this information to other N26 customers, in the context of their use of certain N26 features, if you are present on their mobile device’s contact list. You are then visible to your contacts if they are also customers of N26. You can revoke this consent in the App at any time via My Account > Settings > Personal Settings > Personal Information, and manage your visibility as explained here.

To facilitate your use of N26 features in connection with your contacts, we will access your mobile device’s contact list and upload your contacts’ information to your N26 account, based on your consent, according to Art. 6 (1) a) GDPR. This will include a regular sync with your mobile device to ensure your contacts’ information is up-to-date. You can withdraw or manage your consent at any time directly through your mobile device’s operating system. You will be able to see all contacts from your mobile device in your N26 account, including which of them are also N26 customers, provided that they have made themselves “visible” as such. We will store your contacts to make them available to you in your N26 account and combine this data with other contact information you provide when using our services to make it easier for you to search and find your contacts in the context of a transaction and the use of other N26 features. For these purposes, we rely on our legitimate interest, according to Art. 6 (1) f) GDPR, to provide you with improved service functionality and a better customer experience. For more information on legitimate interest as a legal basis for processing data, please see section II. above.

6. Data processing in the framework of Shared Spaces

In order to facilitate Shared Spaces, we have to process data to identify the members of a Shared Space and transaction data related to the use of this feature, based on the execution of our agreement with you, according to Art. 6 (1) b) GDPR. No data is transmitted to third parties. In order to use Shared Spaces, members have to make themselves “visible” and allow access to their mobile device’s contact list. You can find more information on this in section III.3.

7. Data transmission within the framework of the insurance cover for N26 You and N26 Metal memberships

To facilitate your insurance cover for your N26 You or N26 Metal membership, we collaborate with AWP P&C S.A. - Dutch Branch, which operates under the trademarks Allianz Global Assistance Europe and Allianz Assistance, as a member of the Allianz Group (hereinafter “Allianz Assistance”). Allianz Assistance processes your personal data as a separate controller. You can find more information in the Allianz Assistance Privacy Notice available in the legal documents section for N26 You and N26 Metal, depending on your N26 membership.N26 will transmit your personal data to Allianz Assistance to ensure:

Your insurance cover once you sign up for an N26 You or N26 Metal membership. We will transmit your first name and surname, date of birth, email address, customer ID and legal address to Allianz Assistance, based on the execution of our agreement with you, according to Art. 6 (1) b) GDPR.
Your claims are processed if you file an insurance claim with Allianz Assistance. We might need to transmit additional information to Allianz Assistance, such as information related to financial transactions, based on the execution of our agreement with you, according to Art. 6 (1) b) GDPR, or to comply with our or Allianz Assistance’s legal obligations, according to Art. 6 (1) c) GDPR.

8. Data transmission within the framework of N26 Foreign Currency Transfers

In order to facilitate N26 Foreign Currency Transfers, we collaborate with Wise Payments Limited, Tea Building, 6th Floor, 56 Shoreditch High Street, London, EI 6JJ, United Kingdom (“Wise”). Wise facilitates transactions in foreign currencies with your N26 account. Upon your request, the transfer amount is converted to the target currency and sent to the recipient’s bank account in the target country. For this purpose, we process and share with Wise your name, address, customer ID, birthdate, IBAN, as well as the timestamp of the transfer, payment reference text, source currency code, transfer amount in source currency, target currency code, exchange rate value, transfer amount in target currency, the recipient’s name and bank account number. Wise processes this data according to our instructions to facilitate the transfer, as our data processor. Your personal data is processed based on the execution of our agreement with you, according to Art. 6 (1) b) GDPR.Additionally, we process your data as described above to comply with our legal obligations under applicable laws and regulatory requirements, based on Art. 6 (1) c) GDPR, as specified in section II. above. Furthermore, we process the data to detect and prevent fraud and criminal acts and to manage risks, based on our legitimate interests under Art. 6 (1) f) GDPR. For more information on our legitimate interest as a legal basis for processing data, please see section II. above.Wise also processes the data above as a separate data controller for their own purposes, namely satisfying their legal and regulatory obligations, such as anti-money laundering and banking sanction checks. For this purpose and upon a lawful inquiry by Wise, we may also share with Wise some additional information related to you, including the stated purpose of the transfer, source of funds, place of birth, phone number, email address, occupation, proof of address and data related to your identity verification process, including a copy of your identification document used when opening your N26 account. Wise will retain your data for 5 years after the date of the respective transfer, unless otherwise required to comply with applicable laws and regulations. You can find more information on Wise’s Privacy Policy.

9. Data processing in the framework of Cash26

In order to be able to implement the Cash26 service and enable you to withdraw and deposit cash, we shall transmit your account details and the corresponding transaction data, based on the execution of your request to withdraw or deposit cash according to Art. 6 (1) b) GDPR, to our Cash26 partner so you can withdraw and deposit cash in the stores selected by you when using Cash26. To display to you the location of our Cash26 partners nearby, we process your geolocation if you gave consent to it according to Art. 6 (1) a) GDPR. This geolocation will not be shared with the Cash26 partners and will only be used to provide this service, keeping the data temporarily only for as long as you are using this service each time you are using it. You can revoke your consent at any time in the settings of your smartphone. You will find further information in the privacy policy of the operating system of your smartphone.

10. Data processing in the context of digital payment methods

When you make a payment with your N26 card by using a digital wallet (such as Apple Pay, Google Pay; or Samsung Pay and Garmin Pay via Mastercard Wallet Express) or an online checkout service (such as Mastercard Click to Pay), N26 engages with Mastercard Processing S.A. , 198/A Chaussée de Tervuren, 1410 Waterloo, Belgium (“Mastercard”) which supports us in performing the requested transaction, as our data processor. Specifically, your transaction data is tokenized at Mastercard, and further transmitted on our behalf by Mastercard to the provider of the chosen payment method, which is a separate data controller. Tokens are used to authorize and to perform transactions with payment method provider and these tokens ensure the confidentiality of your personal data. This way, your card details are not shared with the merchant, nor stored on your device. The above processing of personal data, namely making available transaction data to and its respective tokenization by Mastercard, as well as the transmission of that tokenized transaction data to the payment method provider, are based on the execution of the agreement between N26 and you, according to Art. 6 (1) b) GDPR.

11. Data transmission in the framework of Open Banking

To comply with a request to access your N26 account for payment initiation services, account information services and confirmation on the availability of funds (hereinafter: “Open Banking Request”), your personal data is provided to authorized third party payment service providers. The personal data transmitted will include your IBAN, Bank Account ID and customer ID. We provide the personal data you request through a licensed third party described in this section on the basis that it is necessary to comply with our obligation under the applicable legal and regulatory framework to provide an interface for communication with licensed payment service providers of your choice (Art. 6 (1) c) GDPR) and that it is necessary to perform our obligations under the N26 account contract (Art. 6 (1) b) GDPR).

12. Data processing in the framework of N26 Instant Savings

N26 Instant Savings offers you a way to earn interest on your savings. To enable the product, if you choose to open an N26 Instant Savings account, we process your name, legal address, identification document, tax identification number, tax residence, customer ID, device ID and mobile operating system. We may also process your US Individual Taxpayer Identification Number (ITIN) or Social Security Number (SSN), if you are subject to tax in the US.We also process data specifically related to your N26 Instant Savings account, which are the IBAN, BIC, status and account balance, and data related to your use of it, including transaction data, which consist of deposits and withdrawals, dates, amounts and, if applicable, recipients and senders. Moreover, we process applicable interest rates, amount of interest earned, applicable withholding tax and other tax related information. The legal basis for the data processing is the execution of our agreement with you, according to Art. 6 (1) b) GDPR.Additionally, we process data that you share with us about the expected monthly deposit amount and source of funds in order to conduct research and analysis regarding the use customers make of our products and features. In this case, we rely on the legal basis of our legitimate interests, as per Art. 6 (1) f) GDPR. For more information on legitimate interest as a legal basis for processing data, please see section II. above.We further process your data to comply with our legal obligations under applicable laws and regulatory requirements, based on Art. 6 (1) c) GDPR, including the German Banking Act (Kreditwesengesetz), Money Laundering Act (Geldwäschegesetz), Fiscal Code (Abgabenordnung) and other binding measures related to financial matters, as well as to detect and prevent fraud and criminal acts and to manage risks, based on our legitimate interests under Art. 6 (1) f) GDPR.In Germany, we partner with CPB Software (Germany) GmbH, Im Bruch 3, 63897 Miltenberg, Germany (“CPB”) to assist in calculating and reporting withholding taxes of the N26 Instant Savings account. Therefore, if you change your registered address to Germany, we will share the data mentioned above with CPB for such purposes. As our data processor, CPB processes this data solely in accordance with our instructions.

13. Data transmission in the framework of the Stripe Top Up Feature

The Stripe Top Up Feature (hereinafter: “Top Up Feature”) provides an easy method for new customers to add funds to their accounts instantly. Stripe Payments Europe Ltd. (hereinafter: “Stripe”), The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland is providing the technical setup and integration with the relevant payment processors, as a processor. In order to be able to use the Top Up Feature, N26 transmits information regarding payment details (cardholder name, email address, customer ID, order ID, bank account details, payment card details, card expiration date, CVC code, date, time and amount of transaction, merchant name/ID and location) to Stripe. Stripe will also process your data in order to fulfill its legal obligations, as a separate controller, like monitoring fraudulent payment transactions, know-your-customer obligations and anti-money-laundering screening. Stripe and N26 only exchange anonymized tokens and N26 never sees or stores the details of the card used for the deposit. The usage of the Top Up Feature is entirely voluntary for eligible customers, as part of your contract with N26 and the respective data processing is based on Art. 6 (1) b) GDPR.

14. N26 Crypto Service

In order to be able to make the N26 Crypto Service available to you, so you can use the crypto trading services powered by Bitpanda GmbH, Stella-Klein-Löw-Weg 17, 1020 Vienna, Austria (“«Bitpanda”») within your N26 app, we process the following data points related to you, based on the execution of the agreement between N26 and you, according to Art. 6 (1) b) GDPR:

Data collected when you create N26 Crypto service account: your name, email address, mobile phone number, date of birth, place of birth, legal address, your tax residence, gender, citizenship, customer ID;
Data collected from you within the application flow for N26 Crypto Service: your sources of income to invest into cryptocurrencies, current employment status, yearly net income, rough net worth, expected total investment per year, knowledge and experience with investing; knowledge of the potential risks and obligations of stocks and derivatives.

We will also process this data on behalf of Bitpanda (Art. 28 GDPR), and transmit it to Bitpanda and to Bitpanda Asset Management GmbH so that Bitpanda can set up your N26 Crypto Service. This processing is based on pre-contractual steps taken upon your request in accordance with Art. 6 (1) b) GDPR.When you use your N26 Crypto Service, we process your personal data related to any investment orders and transactions you wish to perform on your N26 Crypto account (including investment plans) and we transmit that data to Bitpanda, so that Bitpanda can execute such orders and transactions as a separate data controller. This processing is based on your agreement with Bitpanda, in accordance with Art. 6 (1) b) GDPR.

15. N26 Stocks & ETFs

In order to be able to make the N26 Stocks & ETFs available to you, so you can use the trading services provided by Upvest Securities GmbH, Schlesische Straße 33/34, 10997 Berlin (“Upvest”) within your N26 App, N26 and Upvest will process your personal data. Upvest is the controller for the processing of your personal data for executing the orders and transactions you place through the N26 App (including the subscription of ready-made funds). The Upvest’s Terms and Conditions and Privacy Policy apply. In this context, N26 will process the following personal data on behalf of Upvest as a processor (Art. 28 GDPR) for the following purposes:

Eligibility check: The usage of the N26 Stocks & ETFs is entirely voluntary for eligible customers. The eligibility check is done in accordance with the terms and conditions applicable to this product and is a step necessary prior to entering into those terms and conditions. For this purpose we process information such as your tax residency and your N26 account status. The required legal basis for this is Art. 6 (1) b) GDPR.
Creation of an account with Upvest, as per Upvest’s Terms and Conditions. The required legal basis for this is Art. 6 (1) b) GDPR. For this purpose we process the following information:
- Information that was collected from you when you opened your N26 account and which is necessary to set up your account with Upvest: date of your identification procedure, your full name, email address, mobile phone number, date of birth, place of birth, legal address, your tax residence, gender, nationality(ies), copy of your ID and ID type, number, issuance date and expiration date, pictures taken within the identification procedure.
- Confirmation of the following information for tax purposes: tax residency(ies) and tax ID(s). Please note that, if your tax residency and/or tax ID are not correct or if your identification procedure was performed over 24 months ago, we might request additional information from you.
Execution of your orders and transactions by Upvest: Processing of the necessary information related to your orders and transactions, namely the amount, type and frequency (specially in case of investment plans) of your placed orders and transactions. This also includes any ready-made funds that you subscribe to. The required legal basis for this is Art. 6 (1) b) GDPR.
Compliance with legal obligations: Processing of personal data for compliance with legal obligations applicable to Upvest like monitoring fraudulent payment transactions, know-your-customer obligations and anti-money-laundering screening (mainly deriving from the Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (“MiFIR”) and the GwG). The required legal basis for this is Art. 6 (1) c) GDPR.

N26 remains the controller for the processing of your personal data for providing you with this feature on your N26 App and ensuring that you can place orders and transactions directly from your main account to your Upvest’s account, according to Art. 6 (1) b) GDPR, as per the terms and conditions you signed with N26. The information provided in this Privacy Policy related to the usage of your main account applies to this processing of personal data by N26 as a controller. N26 will also process your data as a controller to comply with legal obligations applicable directly to N26, deriving from the MiFIR and the GWG, according to Art. 6 (1) c) GDPR.

16. Data processing in the framework of the Insights feature

The Insights feature is available within the App. The feature sorts your transactions/payments and visualizes your spendings in a variety of categories to offer you valuable insights on your spending behavior. In order to offer the Insights feature to you within the App, we process transaction data (i.e. data relating to the sender and recipient of transactions, such as the name of the retailer, amount of transitions, subject(hashtag of transactions) and data relating to certain actions by the user (i.e. hashtags created by the user for purposes of spending categorization), as part of your contract with N26 and the respective data processing is based on Art. 6 (1) b) GDPR.

17. Data processing when displaying in-App updates

If you use the App, so-called in-App updates will be displayed. The purpose of the in-App updates is to inform you about the content of your contract, new functionalities of the App or App updates and releases and to give you tips for an optimized use of the App. We will process your user and transaction data (recent deposits, payments, withdrawals, friend referrals) in order to provide you with the relevant in-App updates. We process your data to the extent necessary to display relevant information about your contract with N26 or the improved use or new functionalities in the App (Art. 6 (1) b) GDPR). In addition, the in-App updates may help you to find information about our new services and products related to the App. In order to display in-App updates relevant to you, we will process your user and transaction data (recent deposits, withdrawals, payments, friend referrals). We process your data within the scope of our legitimate interests in informing you about new services and products implemented in our App, as far as this is necessary to display our new features, services and products so you can use any of them if you are interested (Art. 6 (1) f) GDPR). For more information on the legitimate interest as a legal basis for processing data, please see section II. above.

18. Data processing when using the Customer Chat

When discussing any contractual matters (such as account related information or your transactions) with us on our Customer Chat or on our Website or within our App, your IP-address and the information you provide us in your chat communication will be collected and processed, to the extent this is necessary for N26 to provide you the products and services under the contract between you and N26 or any pre-contractual actions required by N26 or as requested by you, based on Art. 6 (1) b) GDPR. In addition, we process your data within the scope of our legitimate interest in answering your general questions about our services and products and to help you find information about our new services and products related to the App, so you can use any of them if you are interested, Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above.

19. Data processing in the framework of transactional & informational communication

We use transactional emails, SMS, physical mail, in-app messages and push notifications to inform you about transactions, withdrawals, and other important information related to your usage of our products and services. We will only send you these transactional emails, SMS, physical mail, in-app messages and push notifications if the processing is necessary for the performance of the contract, based on Art. 6 (1) b) GDPR. We also use informational emails, in-app messages and push notifications to inform you about other relevant information related to your usage of our products and services. For some informational emails, in-app messages and push notifications we analyze your user behavior (status of signup to N26, recent transactions, withdrawals, interaction with services offered such as friend referrals) to send you other relevant information about these processes via emails, in-app messages or push notifications. For this purpose, we use customer segmentation based on our legitimate interest according to Art. 6 (1) f) GDPR to send you information that is relevant to you. We will only send you these emails, in-app messages and push notifications within the scope of our legitimate interests of informing you about other relevant information related to your usage of our App, as far as necessary to provide such information, based on Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. You can object to the processing of your personal data to receive informational emails, in-app messages and push notifications in the App settings via N26 App > My Account > Settings > App-Settings > Communications > Click on respective toggle. For all other communication channels and your right to object to the processing of your data for customer segmentation, please refer to section X. 2. below.

20. Data transmission in the framework of N26 “Insurance”

In cooperation with simplesurance GmbH, Hallesches Ufer 60, 10963 Berlin (hereinafter: “Simplesurance”), we offer “N26 Insurance” for N26 customers as individual add-on options. For the purposes of this service, we will transmit the data collected concerning your personal information and your insurance data, namely your first name and surname, registered address, tax-ID, your email provided to N26, identification number and other information about the insured goods according to Art. 6 (1) b) GDPR to Simplesurance, who will act as a separate controller. Simplesurance may transmit the data collected to the insurer. Please find further information in the Simplesurance privacy policy here.

21. Preparing anonymised statistical datasets

We use your personal data to prepare anonymised statistical datasets about our customers’ spending patterns for forecasting purposes, refining product development and understanding consumer behavior and assess our company’s performance. The reports are produced by using information about you and other customers, however, the information used is anonymised so that it is no longer personal data. You cannot be linked back as an individual within anonymised statistical data and you will therefore never be identifiable from it. We may share these datasets with third parties. This processing is based on N26’s legal obligations, in accordance with Art. 6 (1) c) GDPR, or based on N26’s legitimate interest, under Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. The following example gives you an idea how we are using anonymised data sets under our legal obligations: The Deposit Protection Scheme of German Banks (Entschädigungsfonds deutscher Banken ‘EdB’) requires us to provide anonymised datasets that allows EdB to be updated on indemnifiable deposits for the purposes of the Deposit Guarantee Act (Einlagensicherungsgesetz).

22. Data transmission in the framework of Mastercard Automatic Billing Updater Program

In order to be able to use the Automatic Billing Updater (“ABU”), information concerning your current account is transferred to our processor Mastercard Europe S.A. (“Mastercard S.A.”), 198/A Chaussée de Tervuren, 1410 Waterloo, Belgium. ABU provides automatic updates of information concerning your Mastercard to third party services you use and to which you subscribed with your Mastercard. By doing this ABU helps to reduce preventable card-not-present declines by changes of stored payment account information. For this purpose N26 transmits Cardholder information (cardholder PAN and card expiration date) as well as payment information according to Art. 6 1b) GDPR to Mastercard S.A. Mastercard S.A. will process those Personal Data for the purpose of providing ABU, including hosting and maintaining the ABU database and checking authorization requests against the ABU database.

23. Data processing in the framework of the Waiting Lists

When you ask us to add you to our waiting list for information on when we’re able to provide our banking services to you, the following data will be collected and processed so that we can inform you once we are able to offer you our services:

Country of Residence
Email address
Language selected by you when using our website

The legal basis of the processing of these data is Art. 6 (1) (b) GDPR. Please note that it’s not possible to include you in the waiting list if you do not provide us with the referred personal data. Based on your decision to be added to the waiting list, we will send you emails containing the following information:

Confirmation that you were successfully added to the waiting list
Information on products/services you may expect as a future N26 customer in your market, once the launch is getting closer, so you can decide if you are still interested to sign-up
Notification that N26 is available again soon, for example containing the envisaged launch date and information about how to sign up
Information containing a link to sign up for a N26 account, once N26 is available again.

24. Data processing when participating in In-App surveys

When you share your feedback with us in the App by participating in surveys, on a voluntary basis, we process the information that is technically necessary to provide the survey function and enable us to display it to you (metadata). We process your data, as described, for the purpose of displaying surveys to you and obtaining your feedback, based on our legitimate interests, in accordance with Art. 6 (1) f GDPR. Depending on the survey, we may also process the content of your responses and, in particular, the information that you choose to share with us. Additionally, we may combine the data collected through the survey with other customer data that we process in the context of our contractual relationship with you, including your customer ID, date of account creation, membership tier, age group, gender, country and city of residence. In this case, we will inform you accordingly in the respective information note at the beginning of the survey. We process your data, as described, for research and analysis purposes and to improve our products, processes and service levels, based on our legitimate interests, in accordance with Art. 6 (1) f GDPR. If you decide to share your feedback with us, we may anonymise the data obtained to create research reports and publications. This is done based on our legitimate interest to conduct and produce statistical research and reports and analysis regarding the use customers make of the products and features provided by N26, in accordance with Art. 6 (1) f GDPR. For more information on legitimate interest as a legal basis for processing data, please see section II. above.

25. Data processing when using the iDEAL Payment Scheme

iDEAL is a payment method that you can use to make online payments through your N26 App or Web App, for example in an online store or by scanning a QR code. It facilitates a direct transfer from your N26 account to that of a beneficiary (e.g. a merchant). The iDEAL scheme is operated by Currence iDEAL B.V., located at Gustav Mahlerplein 33, 1082 MS Amsterdam, Netherlands (“Currence”), which provides the infrastructure and technical setup for the connection between the online payment environment and your N26 account.When you initiate an iDEAL payment using your N26 account, we process your name, customer ID and data related to the N26 account that you select to use with iDEAL, namely IBAN, BIC, status, account ID and balance. We also process data related to the iDEAL transaction, which include amount, breakdown, type of transaction (i.e. online, in-store, customer-to-customer or QR), currency, transaction ID (a number used to identify an iDEAL transaction executed by you), reference ID (a number used to identify the transaction authorisation request), status and period of validity (maximum authorisation time for an iDEAL payment request), a unique code to confirm that you have been recognised and authenticated when connecting to your N26 account, as well as the name and ID of the iDEAL payment beneficiary (e.g. a merchant), their bank ID, IBAN and BIC and the merchant category code (if applicable). We further process data related to the device and browser that you used to make the iDEAL transaction, namely IP address, http referer, language settings, device ID, browser ID and device fingerprint. We process this data as a controller to verify your identity, authenticate you as an N26 customer and to enable your iDEAL payment, based on the execution of our agreement with you as per Art. 6 (1) b GDPR. In this context, we collaborate with Currence, which acts as a data processor on our behalf. Currence also processes your data as a separate controller for their own purposes. You can find more information about the processing of your data by Currence in the iDeal Privacy & Cookies Statement. In case you create an iDEAL profile in connection with your N26 account, N26 and Currence act as joint controllers for the purpose of enabling your iDEAL profile. An iDEAL profile allows for faster iDEAL payments and checkouts by allowing you to store relevant information within the iDEAL scheme. To verify your identity as well as to register and manage the iDEAL profile, we jointly process your name, address, phone number, email address, the masked IBAN of your selected N26 account (only the first 8 and last 4 characters), a unique iDEAL profile identifier and the timestamp of your iDEAL profile registration. This is done to execute our agreement with you as per Art. 6 (1) b GDPR. We further process your data to detect and prevent fraud and criminal acts, including money laundering and terrorism financing, as well as to manage risks and for reporting purposes, based on our legitimate interests under Art. 6 (1) f) GDPR. For more information on legitimate interest as a legal basis for processing data, please see section II. above. In addition, we process your data to comply with our legal obligations stemming from applicable laws and regulatory requirements, including anti-money laundering and tax laws as well as other binding measures related to financial matters, based on Art. 6 (1) c) GDPR.

When sharing your ideas using the designated “Share your ideas” feature, we process the information that is technically necessary to enable the feature and display it to you, including app operating system (e.g. iOS, Android, Web), app language version (e.g. EN, DE, IT, ES), app version, T&C country, membership tier and time intervals since passing the KYC process. Additionally, we combine your ideas with data that we process in the context of our contractual relationship with you, including your app operating system, date of account creation (limited to month and year), app version and country of residence. We will not link your ideas to any direct identifiers, such as your customer ID, and the feedback you provide will not have any influence on our actions towards you. We merely link the data to your idea to better understand the context of your ideas, e.g. if it is something that is specifically interesting for a specific market or if the idea is linked to a specific usage period of our app. We process your data, as described, for research purposes to improve our products, processes and service levels, based on our legitimate interests, in accordance with Art. 6 (1) f) GDPR. For more information on legitimate interests as a legal basis for processing personal data, please see section II. above. We ask you not to include any personal data, such as your name or email address, in your feedback. Any personal data included will be anonymized.

IV. Identification by means of a liveness-detection photo and video-ident procedure

N26 is legally obliged to check your identity using a valid identification document within the framework of opening an account and to store specific information from the identification document. For this purpose, we offer you a liveness-detection photo (with the combination of photo and video), via an encrypted transmission path, through our reliance partner Safened-Fourthline. N26 will transmit personal data to its external service providers, as data processors, for the purpose of verifying your identity as required by law. Regarding the liveness-detection photo performed by Safened-Fourthline, we refer to the Safened-Fourthline Terms and Conditions, which we provide you for your acceptance within the identification procedure. Safened-Fourthline will, after your authorization to do so directly on your device, access the camera of your end device and a photograph of you will be taken by yourself, as well as a video in which you will be requested to move, and the front and rear sides of your personal identification document or the principal page of your passport. Your personal data is collected as proof of your eligibility to use our services, in accordance with our legal obligations and based on Art. 6 (1) c) GDPR. In order to verify your identity by means of the photo and videos collected in the identification procedure and the identification document, we collect your consent and thus the processing is based on Art. 6 (1) a) GDPR. Please note that, since we are a digital bank with fully remote communication with our customers, we can only offer a remote check of your identity and thus need your consent to proceed therewith. Once you have completed this identification procedure your personal data will be retained as long as required by our legal obligations, based on Art. 6 (1) c) GDPR.

On our Website, as well as in our Support Center, we have share buttons linking to Facebook, YouTube, LinkedIn, Twitter, Instagram and Glassdoor. These are not third-party plugins, and do not actively send or allow third parties to fetch personal data or any other sort of information whatsoever. The share buttons are hyperlinks that only redirect you to the respective website of the third party when clicked.

VI. Marketing Communication

1. Marketing emails

In our marketing emails, we inform you about our offers related to N26 financial products and services, features and partnerships between N26 and third parties (discount on third party products/services for N26 customers), referral initiatives and we may ask for your feedback or opinion via surveys. If you would like to receive marketing emails, we require an email address from you. We will only send you marketing emails if you expressly consent to this as you open an account or in the settings of your app. Processing your data in order for us to send you marketing emails is based on your prior consent according to Art. 6 (1) a) GDPR. In order to ensure that we only send you emails that are most relevant to you and correspond with your personal interests, we use customer segmentation based on our legitimate interest according to Art. 6 (1) f) GDPR to send you information that is relevant to you. For this purpose, we screen and analyze your user behavior by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals. For more information on legitimate interests as a legal basis for processing personal data, please see Section II. above. You can revoke your consent to receiving marketing emails at any time. You can use the link provided at the bottom of every marketing email to revoke your consent. Once you created your account you can also also give or revoke your consent to receive marketing emails in the App settings via N26 App > My Account > Settings > App-Settings > Communication-Settings > disable respective toggle. Please see the Support Center Article for further information on Marketing Communication settings here. You can also object to the processing of your data for customer segmentation. You can find more information about your right to revoke consent and right of objection under Section X. 2.

2. Marketing push notifications

In our marketing push notifications, we inform you about our offers related to N26 financial products and services, features and partnerships between N26 and third parties (discounts on third party products/services for N26 customers), referral initiatives and we may ask for your feedback or opinion via surveys. Push notifications are messages you receive on your phone without a specific request and regardless of whether the App is open. We will only send you marketing push notifications if you expressly consent to this as you open an account or in the settings of your app. Processing your data in order for us to send you marketing push notifications is based on your prior consent according to Art. 6 (1) a) GDPR. In order to ensure that we only send you push notifications that are most relevant to you and correspond with your personal interests, we use customer segmentation based on our legitimate interest according to Art. 6 (1) f) GDPR to send you information that is relevant to you. For this purpose, we screen and analyze your user behavior by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals. For more information on legitimate interests as a legal basis for processing personal data, please see section II. above.You can revoke your consent to receiving marketing push notifications at any time in the settings of our N26 app via N26 App > My Account > Settings > App-Settings > Communication-Settings > disable respective toggle. Please see the Support Center Article for further information on Marketing Communication settings here. You can also object to the processing of your data for customer segmentation. You can find more information about your right to revoke consent and right of objection under Section X. 2.

3. Marketing in-app messages

In our marketing in-app messages, we inform you about our offers related to N26 financial products and services, features and partnerships between N26 and third parties (discounts on third party products/services for N26 customers), and we may ask for your feedback or opinion via surveys. In-app messages are small sections within the App providing you with contextual and personalized information. Processing your data in order for us to send you marketing in-app messages is based on our legitimate interest under Art. 6 (1) f) GDPR to inform you about our offers related to N26 financial products, features and services, partnerships between N26 and third parties (discounts on third party products/services for N26 customers), and ask for your feedback or opinion via surveys. In order to ensure that we only send you information that is most relevant to you and corresponds with your personal interests, we use customer segmentation. For this purpose, we screen and analyze your user behavior by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals and use this information for marketing in-app messages, based on our legitimate interest according to Art. 6 (1) f) GDPR to send you information that is relevant to you. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. Once you created your account you can object to the processing of your personal data to receive marketing in-App updates in the App settings via N26 App > My Account > Settings > App-Settings > Communication-Settings > disable respective toggle. Please see the Support Center Article for further information on Marketing Communication settings here. You can also object to the processing of your data for customer segmentation. You can find more information about your right of objection under Section X. 2.

4. Customer Chat

In our Customer Chat we inform you about offers related to N26 financial products and services, features and partnerships between N26 and third parties (discounts on third party products/services for N26 customers), and we may ask for your feedback or your opinion via surveys. In order to ensure that we only send you information that is most relevant to you and corresponds with your personal interests, we use customer segmentation. For this purpose, we screen and analyze your user behavior by processing data related to your recent transactions, withdrawals, deposits, payments as well as friend referrals and use this information for marketing information via our Customer Chat, when you are in contact with a customer service agent or N26 Neon, our chatbot, based on our legitimate interest under Art. 6 (1) f) GDPR to inform you about offers related to N26 financial products and services, features and partnerships between N26 and third parties (discounts on third party products/services for N26 customers), and ask for your feedback or opinion via surveys. For more information on the legitimate interest as a legal basis for processing data, please see section II above. Once you created your account you can object to the processing of your personal data to receive marketing messages when using our support chat in the App settings via N26 App > My Account > Settings > App-Settings > Communication-Settings > disable respective toggle. Please see the Support Center Article for further information on Marketing Communication settings here. You can also object to the processing of your data for customer segmentation. You can find more information about your right of objection under Section X. 2.

N26 maintains publicly accessible social media pages on Facebook, Instagram, YouTube, Twitter, LinkedIn and TikTok (hereinafter “N26 Social Media Pages”; the networks jointly “Social Media Networks”). When visiting our Social Media Pages on the Social Media Networks, the networks collect personal data of you as an internet user.

1. Facebook

Facebook, a social media network operated by Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland (hereinafter referred to as “Meta”), provides us with usage statistics related to number of site visitors, demographics of site visitors, use of the individual functionalities. Meta compiles these statistics of personal data, which Meta collects when you visit our Facebook social media page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The lawful basis for this data processing is our legitimate interest, in accordance with Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We have no access to personal data that Facebook collects to compile these statistics and cannot link these statistical data to the profiles of our followers or individual users. In addition, Facebook uses cookies, which are stored on your device when you visit our Facebook social media page. This can apply even if you do not have a Facebook account or are not logged into your account while visiting our Facebook social media page. We have no access to personal data that Meta collects while using cookies. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by Meta in Meta's Privacy Policy at: https://www.facebook.com/policy.php. We are joint controllers with Facebook for the processing of your personal data for this purpose. We have concluded an agreement with Facebook in regards to the joint controllership (in terms of Art. 26 GDPR). You can find it here: https://www.facebook.com/legal/terms/page_controller_addendum. Please find additional information here: https://www.facebook.com/legal/terms/information_about_page_insights_data.

2. Instagram

Instagram, a social media network operated by Meta, provides us with usage statistics related to user growth, user demography, use of the individual functionalities. Meta compiles these statistics of personal data, which Meta collects when you visit our Instagram social media page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The lawful basis for this data processing is our legitimate interest, in accordance with Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We have no access to the personal data that Meta collects to compile these statistics and cannot link these statistical data to the profiles of our fans or individual users. In addition, Instagram uses cookies, which are stored on your device while visiting our Instagram social media page. This can apply even if you do not have an Instagram account or are not logged into your account while you are visiting our Instagram social media page. We don’t have access to personal data that Instagram collects while using cookies. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by Instagram in Instagram's Privacy Policy at: https://help.instagram.com/519522125107875. We are jointly responsible with Meta, as the operator of Instagram for the processing of your personal data for this purpose. We have concluded an agreement with Meta as the operator of Instagram in regards to the joint controllership (in terms of Art. 26 GDPR). You can find it here: https://www.facebook.com/legal/terms/page_controller_addendum. Please find additional information here: https://www.facebook.com/legal/terms/information_about_page_insights_data.

3. YouTube

YouTube, a video hosting service operated by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as “YouTube”) provides us with usage statistics related to user growth, user demography, use of the individual functionalities. YouTube compiles these statistics of personal data, which YouTube collects when you visit our YouTube page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The legal basis for data processing is therefore Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We have no access to the personal data that YouTube collects to compile these statistics and cannot link these statistical data to the profiles of our fans or individual users. In addition, YouTube uses cookies, which are stored on your device when you visit our YouTube social media page. This can apply even if you do not have a YouTube account or are not logged into your account while visiting our profile page. We have no access to personal data that YouTube collects while using cookies. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by YouTube in YouTube's privacy policy at: https://policies.google.com/privacy?hl=en-US. We are jointly responsible with Google, as the operator of YouTube, for the processing of your personal data for this purpose (in terms of Art. 26 GDPR).

4. X

X, a social media network operated by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (hereinafter referred to as “Twitter”), provides us with usage statistics related to user growth, user demography, use of the individual functionalities. Twitter compiles these statistics of personal data, which Twitter collects when you visit our Twitter page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The legal basis for data processing is therefore Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We have no access to the personal data that Twitter collects to compile these statistics and cannot link these statistical data to the profiles of our fans or individual users. In addition, Twitter uses cookies, which are stored on your device when you visit our page. This can apply even if you do not have a Twitter account or are not logged into your account while visiting our profile page. We don’t have access to personal data that Twitter collects while using cookies. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by Twitter in Twitter's privacy policy at: https://twitter.com/de/privacy. We are jointly responsible with Twitter for the processing of your personal data for this purpose (in terms of Art. 26 GDPR).

5. LinkedIn

LinkedIn, a social media network operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (hereinafter referred to as “LinkedIn”), provides us with usage statistics related to user growth, user demography, use of the individual functionalities). LinkedIn compiles these statistics of personal data, which LinkedIn collects when you visit our LinkedIn page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The legal basis for data processing is therefore Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We have no access to the personal data that LinkedIn collects to compile these statistics and cannot link these statistical data to the profiles of our fans or individual users. In addition, LinkedIn uses cookies, which are stored on your device when you visit our page. This can apply even if you do not have a LinkedIn account or are not logged into your account while visiting our profile page. You can find details on the collection and storage of your personal data and on the type, scope and purpose of their use by LinkedIn in LinkedIn's privacy policy at: https://www.linkedin.com/legal/privacy-policy. We are jointly responsible with LinkedIn for the processing of your personal data for this purpose. We have concluded an agreement with LinkedIn in regards to the joint controllership (in terms of Art. 26 GDPR). You can find it here: https://legal.linkedin.com/pages-joint-controller-addendum.

6. TikTok

TikTok, a social media network operated by TikTok Information Technologies UK Limited, Kaleidoscope, 4 Lindsey St, Barbican, London EC1A 9HP, United Kingdom (hereinafter referred to as “TikTok”), provides us with usage statistics related to spend, reach, impressions, clicks, views and events and cost per event. TikTok compiles these statistics of personal data, which TikTok collects when you visit our TikTok social media page. Such data processing serves our legitimate interest in improving the user experience for our page visitors in a target group-oriented manner. The legal basis for data processing is therefore Art. 6 (1) f) GDPR. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We have no access to the personal data that TikTok collects to compile these statistics and cannot link these statistical data to the profiles of individual users. We are joint controllers with TikTok for the processing of your personal data for this purpose. We have concluded an agreement with TikTok in regards to the joint controllership (in terms of Art. 26 GDPR). You can find it here for the purpose of analyzing interactions with our TikTok page: https://www.tiktok.com/legal/page/global/tiktok-analytics-joint-controller-addendum/en and here for the purpose of analyzing of interactions with ads that we post on TikTok: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms. Further information on how TikTok processes Personal Data, including the legal basis TikTok relies on and the ways to exercise Data Subject rights against TikTok, can be found in the relevant TikTok inventory privacy notice (https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE).

7. Data processing by N26

If you use our Social Media Pages to contact us (e.g. by creating your own posts on our Social Media Pages or by tagging us, responding to one of our posts or by sending us private messages) we collect personal data that you provide to us. We only use such personal data for the purpose of communicating with you in order to provide the requested information. When you reach out to us regarding any contractual matters related to an account (such as account opening, account or transaction related information), the lawful basis for the data processing is Art. 6 (1) b) GDPR. Otherwise the lawful basis for the data processing is our legitimate interest, in accordance with Art. 6 (1) f) GDPR. Such data processing serves our legitimate interest in allowing us to communicate with you upon your inquiry and answer your request. For more information on the legitimate interest as a legal basis for processing data, please see section II. above. We delete stored data when they are no longer necessary for this purpose or to comply with any applicable statutory requirements.

When entering into competitions or giveaways published on our Social Media Pages, we process certain personal data related to you required for the administration and organisation of the competition or giveaway as well as potential announcements of winners. This includes your name, username and the content of the post(s) that you make in the context of promotion or giveaway, or any other data points provided by you in the course of your participation. Should you win a prize, we further process your email address to communicate with you (e.g. to deliver your prize) and your tax ID and address, for tax reporting purposes and we might use your data to announce you as the winner in our Social Media Pages.Where you participate and win in a competition or giveaway, the processing of your data is necessary for the performance of a contract, based on Art. 6 (1) b) GDPR. Where we are legally obliged to process your personal data for tax reporting purposes, the lawful basis for this data processing is the compliance with our legal obligations, in accordance with Art. 6 (1) c) GDPR. Otherwise the lawful basis for this data processing is our legitimate interest, based on Art. 6 (1) f) GDPR. Such data processing serves our legitimate interest in offering competitions and giveaways for marketing purposes. For more information on the legitimate interest as a legal basis for processing data, please see section II. above.Personal data collected as part of competitions and giveaways are solely processed for the purpose of selecting the winners and will be deleted within 4 weeks after the end of the competition or giveaway period. This does not apply with regards to winners. In that case, we delete stored data when they are no longer necessary for this purpose or to comply with any applicable statutory requirements.

VIII. International transfers of personal data

Insofar as N26 transmits data to entities located outside the European Economic Area and in order to ensure an appropriate level of data protection equivalent to that granted under the GDPR upon the international transfers of personal data, N26 has implemented one or more of the following transfer mechanisms, in addition to safeguards in accordance with the international data transfer impact assessment on the respective data transfer, if applicable:

A decision of the European Commission deciding that the third country ensures an adequate level of protection, pursuant to Art. 45 (1) GDPR - the existing adequacy decisions can be found here (this includes commercial organisations participating in the EU-US Data Privacy Framework);
Binding Corporate Rules (“BCRs”) approved as per Art. 47 GDPR, pursuant to Art. 46 (2) b) GDPR;
Standard data protection clauses for the transfer of personal data to third countries (“SCCs”), as adopted by the European Commission, pursuant to Art. 46 (2) c) GDPR - the most recent version of the SCCs can be found here;
Your explicit consent under Art. 49 (1) a) GDPR, when we transmit data to entities located outside the European Economic Area and in third countries that don't provide an adequate level of protection of personal data in the terms of the GDPR and none of the other transfer mechanisms apply.

You can obtain a detailed copy of the transfer mechanism and more information in this regard by sending a request to N26 to the addresses indicated in section XII. below.

IX. Data collected in the framework of phone call recordings

When discussing any contractual matters (such as account related information or your transactions) with us on the phone, the call between us will be recorded for security and evidence reasons. Our interest to be able to prove contractual inquiries as well as to prevent and detect fraudulent behavior stipulates our legitimate interest to record calls in accordance with Art. 6 (1) f) GDPR. This does not apply to calls aimed at clarifying general inquiries related to N26 products and services. The call recordings will be retained as long as required for security and evidentiary purposes. The call recordings will be processed by our Interactive Voice Response (IVR) service provider who is processing personal data on behalf of N26 (Art. 28 GDPR). If we are required to do so, the recordings will be shared with the competent authorities, in accordance with the applicable law. If you do not wish to be recorded when calling us, please do contact us by email or through our Customer Chat for queries related to account related information or your transactions.

X. Rights

1. Your rights

You have the following rights concerning your personal data:

right to revoke your consent according to Art. 7 (3) GDPR, which is detailed in section X.2. below;
right of access according to Art. 15 GDPR, which means you can request information on whether your personal data is being processed by N26 and information on the particular processing of personal data, at any time, along with a copy of the information processed. In no case this right covers the access to documents or the obtention of copies of such documents;
right of rectification according to Art. 16 GDPR, which means you can request the rectification of your data when they are incomplete or inaccurate;
right to erasure according to Art. 17 GDPR, which means you can request the deletion of your personal data when they are no longer required by N26 for the purposes they were initially collected for, or when you understand they have been illicitly used. N26 can reject your request, if the data is necessary to comply with a legal obligation, for public interest reasons or for legal actions;
right to restriction of the processing according to Art. 18 GDPR, which means you can request the restriction of the processing of your personal data when it is legally permitted and, in particular, (i) while you challenge the accuracy of your data, (ii) when you request the restriction of your data because you believe the processing is unlawful, or (iii) when the data is no longer needed for the purposes for which it was collected but N26 needs them for legal actions;
right to object to the processing according to Art. 21 GDPR, which is detailed in section X.2. below;
right to data portability according Art. 20 GDPR, which means you can request N26 to provide you personal data, in a structured, commonly used and machine-readable format and to transmit your data to another controller where the data processing is based on the consent, or on a contract and the processing is carried out by automated means;
Right to lodge a complaint with a supervisory authority according to Art. 77 GDPR, which means that you can complain before the supervisory authority if you consider that the processing of your personal data by N26 infringes the GDPR.

Without prejudice to section X.2. below, please: Exercise your right of access, right to erasure and right to object to the processing through our webform;Please do not address your requests through a third party platform which requires us to get back to you through that same means, since we are not able to clearly identify you as an N26 customer in such cases. Instead, please resort to the aforementioned ways of making use of your rights before N26.

You can find below more details about your right to revoke consent and right of objection:

Right to revoke your consent (in accordance with Art. 7 (3) GDPR)

You have the right to revoke your consent to the processing of your personal data at any time with effect for the future. In the event you revoke your consent, your personal data is not processed any longer, unless further processing can be based on a different legal basis for processing (excluding consent). The processing of your personal data remains justified until the date of your revocation. You can exercise your right to revoke your consent via the specific means provided in our Web App or App, if applicable.

Right of objection (in accordance with Art. 21 (1) GDPR)

You have the right to object to the processing of your personal data, which is processed in accordance with Art. 6 (1) e) and Art. 6 (1) f) GDPR, at any time. This does also include profiling according to Art. 4 (4) GDPR. In case you object, your personal data is not processed any longer, except when we have legitimate reasons to continue the processing, which exceed your interests, rights and liberties or when the processing is necessary to enforce, exercise or defend legal claims. The processing of your personal data remains justified until the date of your objection. You can exercise your right of objection through our webform.

Right of objection concerning data processing for direct marketing purposes (in accordance with Art. 21 (2) GDPR)

In some cases, we process your personal data for direct marketing purposes. You have the right to object to the processing of your personal data for direct marketing purposes at any time. This also applies to profiling, in case it is connected to direct marketing purposes. In case you object to the processing of your personal data for direct marketing purposes, your personal data is not processed any longer for this purpose. The processing of your personal data remains justified until the date of your objection. You can exercise your right of objection through our webform.

XI. Deletion and retention periods

We are storing and processing your personal data only as long as it is necessary to perform our obligations under the agreement with you or as long as the law requires us to store it. That means, if the data is not required anymore for statutory or contractual obligations, your data will be deleted. This also occurs in case your onboarding process is not finalized with the opening of an account, and meanwhile there are still pending legal or security obligations for the bank to preserve your data. However, that rule does not apply, if its limited processing is necessary for the following purposes:

Performing regulatory and tax retention periods, which relate to the applicable laws and complementary regulation, including the following laws: Commercial Code (Handelsgesetzbuch), Tax Code (Abgabenordnung), Banking Act (Kreditwesengesetz), Money-laundering Act (Geldwäschegesetz) and Security Trading Act (Wertpapierhandelsgesetz). The statutory retention periods and documentation obligations are between two to ten years. The applicable legal basis is Art. 17 (3) b) GDPR together with Art. 6 (1) c) GDPR.
Keeping evidence in the context of statutory limitation periods. According to German Civil law (Bürgerlichen Gesetzbuch) these limitation periods can be up to thirty years, however the regular limitation period is three years. The applicable legal basis for this is Art. 17 (3) e) GDPR together with Art. 6 (1) f) GDPR.

Furthermore, whenever your consent is the legal ground to process your personal data, N26 will store that data for as long as you do not revoke your consent or until your account is closed, whatever happens the latest.

Personal

Business

Standard

Smart

You

Metal

Business Standard

Business Smart

Business You

Business Metal

Highlights

Other features

More

Banking features

Travel benefits

Joint account

Virtual cards

Instant payments

Top up

Apple Pay

Google Pay

Samsung Wallet

Garmin Pay

Mastercard

Banking basics guide

Banking terms glossary

How to open a bank account online

Phone insurance

Banking basics

Featured stories

What is debt consolidation? How and when to consolidate debt

What is debt relief? Understanding your options

Banking Basics: get to know your bank account

Highlights

Other features

More

Instant Savings

Spaces

Budgeting

Shared Spaces

Split expenses

Cashback

Interest rates guide

Budgeting stories

Featured stories

How to save money for a trip in 10 simple steps

Sabbatical leave—what it means and how to finance it

What is a term deposit and how does it work?

Highlights

Other features

More

Invest

Stocks and ETFs

Ready-made funds

Crypto

Buy stocks

Buy ETFs

Trading glossary

Investing money

Investing for beginners

Stock analysis

Investment plan

Investment stories

Crypto glossary

Guide to crypto coins

Featured stories

What is earnings per share? How to calculate EPS

Market correction, explained: What it is and what triggers it

How to navigate market volatility

Living abroad

Travel

Work

Student life

Money tools

More

Foreign transaction fees

International money transfers

Moving to Germany

Moving to France

Moving to Italy