← Back to front page

Privacy Policy

How open-banking.io handles your personal data.

Last updated: 11 June 2026

1. Data controller

The data controller is Tatic ApS (CVR 42532940), Mejsevej 2, Hadbjerg, 8370 Hadsten, Denmark, operating under the secondary name OpenBanking IO ApS.

Privacy and GDPR requests: [email protected].

2. What we collect

Personal data: your email address only, received when you sign in via OIDC. We use it for invoicing and for operational notifications. No marketing without your consent, no data selling, no ads, no profiling.

Bank data: with your PSD2 consent, we retrieve and store your bank account and transaction data. This is the substance of the service — we process it only to deliver it back to you.

3. Purposes and legal bases

  • Providing the service and invoicing — contract, GDPR Art. 6(1)(b)
  • Security and alerts when a bank consent is about to expire — legitimate interest, GDPR Art. 6(1)(f)
  • Access to your bank data under PSD2 — your consent, GDPR Art. 6(1)(a), given directly at your bank and revocable at any time

4. Processors and sub-processors

We use a small set of European processors:

  • Enable Banking Oy (Espoo, Finland) — bank connectivity; a registered AISP supervised by the Finnish Financial Supervisory Authority (FIN-FSA) under PSD2. Neither we nor Enable Banking store your bank credentials.
  • Hetzner (Hetzner Online GmbH / Hetzner Finland Oy) — hosting in ISO/IEC 27001:2022-certified data centers in Germany and Finland.
  • Gcore — DDoS protection and network edge, on European infrastructure.
  • Flatpay (Denmark) — invoicing and card payments. We never store card details.

Bank data is never shared with third parties beyond these processors.

5. Where your data lives

All data is stored and processed within the EU — in data centers in Germany and Finland. We do not transfer your data outside the EU.

6. Retention and deletion

We keep your data for as long as your account is active. When you delete your account, your bank account and transaction data is deleted.

You can also revoke individual bank consents at any time; we then stop retrieving data from that bank.

7. Security

Data is encrypted in transit and at rest. Hosting runs in ISO/IEC 27001:2022-certified data centers, behind European DDoS protection.

Found a vulnerability? Report it to [email protected]. We acknowledge reports within 48 hours and ask that you coordinate with us before disclosing publicly.

8. Your rights

Under the GDPR you have the right to access, rectification, erasure, data portability, restriction of processing, and objection. To exercise any of these, write to [email protected].

If you believe we process your data unlawfully, you can complain to Datatilsynet, the Danish Data Protection Agency (datatilsynet.dk).

9. Consent-expiry notifications

Under PSD2, bank consents expire periodically and must be renewed. We email you before a consent expires so syncing continues uninterrupted. These are operational notifications, not marketing, and are sent under our legitimate interest in keeping the service working for you.

10. Changes to this policy

If we change this policy materially — for example by adding a processor or a new purpose — we notify you by email before the change takes effect. The date at the top always reflects the current version.

11. Contact