GDPR Compliance

Data Protection Principles

Fintivio Inc. is committed to processing personal data in accordance with the six data protection principles outlined in the GDPR:

• Lawfulness, fairness and transparency: We process data lawfully, fairly, and transparently
• Purpose limitation: Data is collected for specified, explicit, and legitimate purposes
• Data minimization: We collect only data that is adequate, relevant, and limited to what is necessary
• Accuracy: Personal data is kept accurate and up to date
• Storage limitation: Data is kept only as long as necessary for the purposes for which it was collected
• Integrity and confidentiality: Data is processed securely with appropriate technical and organizational measures

Legal Basis for Processing

We process personal data based on the following legal grounds:

• Contractual necessity: To provide our wealth management services
• Legal obligation: To comply with financial regulations and reporting requirements
• Legitimate interests: For business operations, security, and service improvement
• Consent: Where explicitly provided for marketing communications

Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of access: Request copies of your personal data
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data under certain circumstances
• Right to restrict processing: Request limitation of processing under certain conditions
• Right to data portability: Request transfer of your data to another organization
• Right to object: Object to processing based on legitimate interests or direct marketing
• Rights related to automated decision making: Protection against solely automated decision-making

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including:

• Client data: Retained for the duration of the business relationship plus 7 years for regulatory compliance
• Transaction records: Retained for 7 years as required by financial regulations
• Marketing data: Retained until consent is withdrawn or for 3 years of inactivity
• Website analytics: Retained for 26 months

International Transfers

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Adequacy decisions by the European Commission
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules where applicable
• Certification schemes and codes of conduct

Security Measures

We implement appropriate technical and organizational measures to ensure data security:

• End-to-end encryption for data in transit and at rest
• Multi-factor authentication and access controls
• Regular security assessments and penetration testing
• Employee training on data protection and security
• Incident response and breach notification procedures

Data Protection Officer

Our Data Protection Officer oversees GDPR compliance and can be contacted at:

Exercising Your Rights

To exercise any of your GDPR rights, please contact us at:

We will respond to your request within one month of receipt. In complex cases, we may extend this period by two additional months.

Complaints

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with:

• Your local supervisory authority
• The Spanish Data Protection Agency (AEPD) as our lead supervisory authority
• The supervisory authority in the EU member state where you habitually reside or work

Updates to This Policy

We may update this GDPR compliance statement from time to time to reflect changes in our practices or applicable law. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by other means such as email notification.

Last updated: May 29, 2025