1. HOW WE PROCESS YOUR PERSONAL DATA
To manage your relationship with us, Imaginersgen S.A. (hereinafter "IMAGIN") will process your personal data for various purposes, always in accordance with the applicable laws, respecting your rights and with complete transparency.
How we process your data may vary depending on how much you identify yourself in your relationship with us, which is why:
- When you register on our mobile application (hereinafter the "Imagin app") with a name, telephone number and email address, we will consider you an unidentified user ("Imaginer Lead/Reload User"), and will apply certain processes to your data, as detailed in this Privacy Policy.
Section 6 ("Types of data processing") specifies the processes that apply to the data of an Imaginer Lead/Reload User.
- When you register in the Imagin app using the identification means provided by CaixaBank, S.A. ("CaixaBank"), we will consider you to be a fully identified user ("Imaginer Infinity User") and will apply certain processes to your data, as detailed in this Privacy Policy.
Section 6 ("Types of data processing") specifies the processes that apply to the data of an Imaginer Infinity User.
This Privacy Policy, which you can access at any time from Settings>Legal information>Privacy policy and at www.imagin.com/politicaprivacidad, provides full details on how we will use your data in our interactions with you.
The main regulations that govern how we process your personal data are:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the GDPR).
- Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (hereinafter the LOPD).
2. WHO PROCESSES YOUR DATA
Data controller: The controller of your personal data in your interactions with us ("Contractual Relationship") is IMAGIN (ImaginersGen, S.A.), with Tax ID number (NIF) A-61363339 and registered address at Carrer de l'Estany 1-11, Barcelona.
Joint data controllers: Furthermore, for certain processing, detailed information for which is provided in this policy, IMAGIN will jointly process your data with other companies, jointly deciding on the purposes ("what the data are used for") and the resources used ("how the data are used"), which thus makes them the joint data controllers.
The purposes for which IMAGIN will jointly process your data with other companies are described in detail in Section 6 "Types of data processing".
You can also find the list of companies that process your data, as well as the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.
3. DATA PROTECTION OFFICER
IMAGIN and the CaixaBank Group companies have appointed a Data Protection Officer, who will deal with any matters related to the processing of your personal data and the exercising of your rights.
You can contact the Data Protection Officer to send your suggestions, queries or claims by going to: www.caixabank.com/delegadoprotecciondedatos.
4. EXERCISING RIGHTS AND FILING COMPLAINTS THROUGH THE SPANISH DATA PROTECTION AUTHORITY (AEPD)
You can exercise your rights to access, rectification, object to processing, erasure, restriction, data portability, withdraw consent and not be subject to automated decision-making in accordance with the law.
You can exercise these rights through any of the following channels:
- eat our CaixaBank branches open to the public;
- by using the options available in the SETTINGS area of the Imagin app;
- by visiting www.imagin.com/ejerciciodederechos; and
- by sending a letter to Apartado de Correos nº 209, Valencia 46080.
Additionally, if you have any complaints related to the processing of your data, you can send them to the Spanish Data Protection Authority (www.agpd.es).
5. DATA PROCESSED
The types of information used in the different processing operations described in this Privacy Policy are specifically detailed in each of the processes explained in Section 6.
6. TYPES OF DATA PROCESSING
We process your data for various different purposes and on different legal grounds.
- Processing based on your consent.
- Processing required for the Contractual Relationships.
- Processing required to comply with regulatory obligations.
- Processing based on IMAGIN's legitimate interest.
Of the above processes, some will be carried out only for Imaginer Infinity users and others for Imaginer Lead/Reload users. The remaining processes will be carried out for all IMAGIN users (Imaginer Infinity and Imaginer Lead/Reload users).
The detailed information for each process detailed herein specifically explains whether the process is applied to Imaginer Infinity users, to Imaginer Lead/Reload users or to all IMAGIN users.
In addition to the processes described, we may carry out specific processing operations not mentioned in this policy in response to your requests for products or services. Detailed information on these processing operations will be provided to you at the time of processing the specific request.
PROCESSES CARRIED OUT FOR IMAGINER INFINITY USERS
6.1 PROCESSING BASED ON YOUR CONSENT
The legal basis for these processes, which only apply to Imaginer Infinity users, is your consent, as laid out in Article 6.1.a) of the General Data Protection Regulation (GDPR).
We may have requested this consent through different channels; for example, when you registered as a customer with CaixaBank at a branch, through digital channels or mobile apps, or through any of the companies of the CaixaBank Group that is jointly responsible for the treatment, or through any Bankia, S.A. channel prior to its merger with CaixaBank.
If you gave Bankia your consent to process your data for commercial purposes, prior to its merger with CaixaBank, processes A, B and C, as indicated below, will be carried out as per the preferences you indicated to Bankia at that time.
Specifically, the processing described in items A and B below will only be carried out by CaixaBank Group companies as joint controllers if you consented to the disclosure of data between Bankia group companies (now CaixaBank).
If, for any reason, we never asked you for your consent, this processing will not apply to you.
You can view the consent you have given or denied, and change your decision at any time at no cost in the IMAGIN app (SETTINGS) or at a CaixaBank branch.
Processing based on your consent is indicated below from (A) to (C). For each item, we will indicate: a description of the purpose (Purpose), the details of the processed data (Processed data), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
A. Customisation of product offer according to analysis of your data
Purpose: If we have your consent, we will use the data specified below to create a commercial profile for you, which will allow us to define your preferences or needs and offer you products and services from joint data processors that we believe may interest you based on those preferences and needs.
By processing your data, we can make customised offers that may be of more interest to you than generic offers.
Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.
The data we will process for this purpose are:
- Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
- Details of your professional or work activity and socio-economic information: details related to your job, income or remuneration, household, level of education, assets, tax and fiscal data.
- Contract details: contracted or requested products and services (own or third-party), account holder status, authorised or representative of the product and service contracted, categorisation according to regulations regarding securities markets and financial instruments (MiFID category), information on investments made and their evolution and information and transactions related to your financing operations.
- Basic financial data: current and historical balances of products and services and payment history of contracted products and services (own or third party).
- Third-party data from statements and receipts of instant accounts and payment accounts: information on entries and transactions that third-party issuers make to your accounts, including transaction type, issuer, amount, and the concept as it appears on your receipts and statements for debit, credit and prepaid card transactions.
- Details of whether or not you are a CaixaBank shareholder: if you own CaixaBank shares or not.
- Details of our communications with you: data obtained in chats, walls, video conferences, telephone calls or any other equivalent means of communication.
- Own browsing data: data obtained from your browsing of our websites or applications and your browsing history in these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, whether you have accepted the use of cookies and similar technologies on your browsing devices.
- Geographic data: details of the location of the businesses where you make card transactions and geolocation data from your mobile device provided by the installation and/or use of our mobile applications, when authorised by you in the settings for the apps themselves.
- Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to client data, which helps us to combat fraud, detect your consumer habits, preferences or product tendencies, for regulatory compliance and to manage your products and services.
- Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay, or the risk limits, applying statistical mathematical models using your data.
- Details of the Equifax RISK SCORE: In financing or instalment operations, we will use the result provided by this system to forecast the probability of default at 12 months, which is calculated by applying statistical and mathematical models to your Personal ID, post code of residence and data in credit information systems.
- Data on credit information systems: obtained by consulting the Asnef and Badexcug solvency files, which provide information on debts, financial solvency and credit (debtor, creditor and debt).
- CIRBE data: we will check if you have risk (financing) with other banks. We will obtain this information from the Bank of Spain Credit Reporting Agency (CIRBE).
- Demographic and socio-economic data: these are data not relating to specific people but geographical areas, age sectors or professional activity sectors, which we will use to put into context with customer information.
- Details of properties and vehicles associated with you: data obtained from the land registry and basic data on vehicles obtained from the Spanish Traffic Directorate, which we will use to add to the information on your properties and vehicle.
- Details of directors, functional officers and corporate relationships: data taken from the INFORMA databases that we will use to add to the information on your activities.
- Details of agricultural subsidies and insurance: these are data published by the Spanish Agricultural Guarantee Fund (FEGA) and the State Agricultural Insurance Institution (ENESA).
- Data from third-party companies to which you have given your consent to share them with us: data on you processed by other companies with which we have agreements, and which you have authorised to share your information with us.
- Navigational details: data obtained from your browsing of third-party websites or applications and your browsing history in these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, whether you have accepted the use of cookies and similar technologies on your browsing devices.
- Data from social media or the internet: data from social media or the internet that you authorise us to view.
Use of profiling: For this processing, we will create a business profile that we will use exclusively to customise our products and services for you;
- Purpose of the profile: The purpose of the profile is to identify the products and services we think may interest you, based on the information we have about you, to send you specific rather than generic commercial offers.
- Consequences: If you authorise the processing, we will use commercial profiles to decide which products or services to offer you. If you do not give your authorisation, we will not use your information to customise our commercial offer.
We do not use this profiling, under any circumstances, to refuse any product or service, or to set credit limits. Refusal to accept this processing will not prevent, limit or condition your access to our full catalogue of products and services that is always available to you.
If you wish to contract any product or service, your request will be assessed in accordance with our regular procedures, and whether or not you accept analysis of your data to customise the product offer will not affect this assessment.
- Logic: A customer's profile is calculated based on the data indicated in the "Data processed" section.
These data are applied to mathematical formulas obtained from past behaviours observed in clients of similar characteristics to infer the customer's future behaviour. These mathematical formulae allow us to determine the importance of all the data processed in the final result of the applicant's profile.
This final result is the probability that the customer will be interested in a product or service.
Other relevant information: The following section includes other relevant data processing information:
- Duration of data processing: We will only process your data in this way if you have given us your express consent to do so, and your consent will remain in force until you withdraw it. If you cancel all your products or services with us, but forget to revoke your consent, we will do so automatically.
- Offer of products and services from companies acting as joint data controllers: If you consent to this processing, we will offer you products and services marketed by the companies acting as joint data controllers detailed in the following section.
These companies engage in activities related to finance, banking and payment methods, including the offering of property assets derived from these activities; to the insurance business; to general e-commerce; to leisure; and to the promotion of corporate and sustainability actions.
Joint data controllers: The following CaixaBank Group companies are joint data controllers of this data processing.
- CaixaBank, S.A.
- CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Wivai Select Place, S.A.U,
- ImaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.
B. Communication of the commercial offer through other channels
Purpose: We will make our commercial offer available to you only through the channels that you authorise.
Data processed: The data we will process for this purpose are:
- Identifying and contact details: full name, sex, telephone and email contact information, address of residence, language choice.
Other relevant information: The following section includes other relevant data processing information:
- Duration of data processing: We will only process your data in this way if you have given us your express consent to do so, and your consent will remain in force until you withdraw it. If you cancel all tus your products or services with us, but forget to revoke your consent, we will do so automatically.
Joint data controllers: The following CaixaBank Group companies are joint controllers for this data processing:
- CaixaBank, S.A.
- CaixaBank Payments & Contumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Wivai Select Place, S.A.U,
- ImaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.
C. Disclosure of data to other companies
Purpose: If we have your consent, we will transfer the data specified below to other companies with which we have agreements, so that they may send you offers on their products and services.
If you do not consent to this processing, we will not transfer your data. If you consent, the data we transfer to other companies will vary depending on whether you have authorised us to customise our product offerings by analysing your data:
- If we do not have your consent to customise our commercial offer (process A above), we will only provide these companies your identifying and contact details.
- If you have given us your consent to personalise our commercial offer (process A above), we will also inform these companies of your commercial profile, which contains information on your preferences and needs, as well as inferred information about your probability of payment or non-payment, or risk limits.
These third-party companies to which we might transfer your data are dedicated to the following activities:
- banking
- investment services
- insurance and reinsurance
- venture capital
- property
- highways
- sale and distribution of goods and services,
- consulting services
- leisure and
- charity-social action
Data processed: We will not process data that contains information that reveals your ethnicity or race, your political opinions, religious or philosophical convictions, union membership, the processing of genetic data, biometric data intended to uniquely identify you, health data or data relating to your sex life or orientation.
These are the data that we will use if you consent to the transfer of your data to third parties, but we do not have your consent to customise the commercial products and services we offer you (process A above):
- Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
We will also use the following data if you have given us your consent to personalise the commercial products and services we can offer you (process A above):
- Data obtained from the execution of statistical models: we use the results of applying mathematical modelling to client data, which helps us to combat fraud, detect your consumer habits, preferences or product tendencies, for regulatory compliance and to manage your products and services.
- Risk assessment data or scoring: in financing or payment for instalments, we will forecast your capacity to pay or not pay, or the risk limits, applying statistical mathematical models using your data.
Other relevant information: The following section includes other relevant data processing information:
- Data transfer information: If we reach an agreement with a third company to transfer your data, the recipient company would inform you of this, as well as of the data transferred and details of the processing they intend to carry out.
- Duration of data processing: We will only process your data in this way if you have given us your express consent to do so, and your consent will remain in force until you withdraw it. If you cancel all your products or services with us, but forget to revoke your consent, we will do so automatically.
Joint data controllers: The following CaixaBank Group companies are joint controllers for this data processing:
- CaixaBank, S.A.
- CaixaBank Payments & Contumer, E.F.C., E.P., S.A.U.
- Nuevo Micro Bank, S.A.U.
- Wivai Select Place, S.A.U,
- ImaginersGen, S.A.
- VidaCaixa, S.A.U. de Seguros y Reaseguros
You will find the essential aspects of the joint data controller agreements at: www.caixabank.es/empresasgrupo.
PROCESSES CARRIED OUT FOR IMAGINER LEAD/RELOAD USERS
6.2 PROCESSING BASED ON IMAGIN'S LEGITIMATE INTEREST
This processing only applies to Imaginer Lead/Reload users, and the legal basis is the legitimate interests pursued by IMAGIN or a third party, provided that these interests do not take precedence over your interests, or your fundamental rights and freedoms, as per Art. 6.1.f of the General Data Protection Regulation (GDPR).
This process will imply that we have considered your rights and our legitimate interests and we have concluded that the latter prevail. Otherwise, we would not process the data. You can ask about the analysis that is done to weigh the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com.
We also remind you that you have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in Section 4.
A. Products and services offered.
IMAGIN's legitimate interest: It is in IMAGIN's legitimate interest to provide information on the products and services that it markets to users who have shown an interest in them, or who have requested or signed up for similar products or services previously.
Purpose: The purpose of the processing is to select the target audience for the products and services offered by means of commercial communications through electronic means.
The data we will process for this purpose are:
- Identifying and contact details: full name, sex, telephone and email information, language choice, identification document.
- Contract data: products and services signed up for or requested.
- Basic financial data: payment history for products and services.
- Own browsing data: the data obtained from your browsing of our websites or applications and your browsing history in these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, whether you have accepted the use of cookies and similar technologies on your browsing devices.
- Navigational details: data obtained from your browsing of third-party websites or applications and your browsing history in these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, whether you have accepted the use of cookies and similar technologies on your browsing devices.
Other relevant information:
- Right to object to processing: Note that you have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in Section 4.
Data Controller: The data controller in this case is IMAGIN. This processing is not carried out as joint controllers.
PROCESSES CARRIED OUT FOR ALL IMAGIN USERS
6.3 PROCESSING REQUIRED FOR CONTRACTUAL RELATIONSHIPS
We will carry out these processes for all IMAGIN users (Imaginer Infinity and Imaginer Lead/Reload). The legal basis for this processing is that it is required to manage the products or services that you request or that you are party to, or to apply, if you so request, pre-contractual measures ("Contractual Relationships"), pursuant to Article 6.1.b of the General Data Protection Regulation (GDPR).
Therefore, this processing is necessary for you to enter into and maintain a Contractual Relationship with us. If you object to it, we will end this relationship, or will not be able to establish it if not done already.
The types of processing required to establish contractual relations are listed below, arranged from (A) to (C). For each item, we will indicate: a description of the purpose (Purpose), the data processed (Data processed), if applicable, information on the use of profiles (Use of profiles), if applicable, other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
A. Signing, maintenance and performance of Contractual Relations.
Purpose: The purpose of this data processing is to formalise and maintain the Contractual Relationships established between you and us, including the processing of your requests or orders, the steps prior to entering into a contract (pre-contractual relationships) or your purchase of a product or service.
This data processing involves collecting the information necessary to establish or to manage the application and to process the information needed to properly maintain and execute the contracts and/or purchases made by you.
The processing activities involved in signing, maintaining and performing the Contractual Relations are::
- Collection and registration of the data and documents needed for you to purchase the products or services requested.
- Managing the products and services you have taken out with us, including responding to your questions regarding operations and handling any associated incidents.
Data processed: The data we will process for this purpose are:
- Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
- Contract data: the products and services you have with us or third parties or have requested.
- Basic financial data: payment history for products and services.
Other relevant information: Once you have contracted any products or services (leisure, mobility, travel, financing, insurance...) from third party companies, your data will be processed by said company, as agreed upon.
So, for example, when you take out a prepaid MoneyToPay card, the processor will be MoneyToPay (Global Payments MoneyToPay, EDE, S.L.).
When you benefit from our special offers or discounts, your data will also be processed by the companies that offer them (for example, when you benefit from Booking discounts from the application).
Finally, when you are an ImaginBank customer and access your banking information to manage your financial products and services using our application, remember that the entity responsible for processing your data is ImaginBank (CaixaBank, S.A.).
Data Controller: The data controller in this case is IMAGIN. This processing is not carried out as joint controllers.
6.4 PROCESSING REQUIRED TO COMPLY WITH REGULATORY OBLIGATIONS
The legal basis of this processing, which applies to all IMAGIN users (Imaginer Infinity and Imaginer Lead/Reload users), is the requirement to comply with a legal obligation that is required of us, as laid out in Article 6.1.c) of the General Data Protection Regulation (GDPR).
Therefore, it is necessary for you to establish and maintain Contractual Relations with us. If you object to it, we will need to end this relationship, or will not be able to establish it if not done already.
The types of processing required to satisfy the regulatory requirements are listed below, arranged from (A) to (B). For each item, we will indicate: a description of the purpose (Purpose), the data processed (Data processed), if applicable, information on the use of profiles (Use of profiles), if applicable, other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
A. Processing for handling complaints and claims.
Purpose: The purpose of this processing is to handle queries, complaints and claims submitted to IMAGIN.
Furthermore, Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights requires the data controller (in this case IMAGIN) to handle any complaints submitted to its Data Protection Officer and respond to any data protection rights exercised by data subjects.
The following processing operations are carried out to comply with regulations on the processing of complaints and claims:
- Receiving complaints and claims submitted to IMAGIN's Customer Service Department;
- Responding to complaints and claims within the established time frame, and;
- Managing data protection rights and queries submitted to the CaixaBank Group's Data Protection Officer and the necessary activities to collaborate with the Control Authority (Spanish Data Protection Agency).
Data processed: The data we will process for this purpose are:
- Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
- Contract data: products and services signed up for or requested.
- Basic financial data: payment history for products and services.
Data Controller: The data controller in this case is IMAGIN. This processing is not carried out as joint controllers.
6.5 PROCESSING BASED ON IMAGIN'S LEGITIMATE INTEREST
This processing applies to all IMAGIN (Imaginer Infinity and Imaginer Lead/Reload) users, and the legal basis is the legitimate interests pursued by IMAGIN or a third party, provided that these interests do not take precedence over your interests, or your fundamental rights and freedoms, as per Art. 6.1.f of the General Data Protection Regulation (GDPR).
This processing will imply that we have considered your rights and our legitimate interest and we have concluded that the latter prevails. Otherwise, we would not process the data. You can ask about the analysis that is done to weigh the legitimate interest of a processing operation at any time by emailing your enquiry to delegado.proteccion.datos@caixabank.com.
We also remind you that you have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in Section 4.
This processing is indicated below, arranged from (A) to (C). For each item, we will indicate: IMAGIN's Legitimate Interest (IMAGIN's legitimate interest), a description of the purpose (Purpose), the data processed (Data processed), if applicable, information on the use of profiles (Use of profiles), other relevant processing information (Other relevant information) and whether or not the processing is carried out jointly with other CaixaBank Group companies (Joint data controllers/Data controller).
A. Fraud prevention.
IMAGIN's legitimate interest: IMAGIN's legitimate interest in processing the data is to prevent fraud that results in economic or reputational losses for IMAGIN or its users.
Purpose: The purpose of this processing is to adopt the necessary measures to prevent malicious transactions or conduct before they occur or to mitigate their impact if they do occur by identifying suspicious transactions or conduct that could involve an attempt to defraud IMAGIN or its customers.
The processing operations carried out to prevent fraud are:
- Verifying the proper access or identity of users who interact with IMAGIN to prevent fraudulent access to information or operations.
- Reviewing and analysing the contracts and operations carried out in our systems to protect our users from fraud through any channel and prevent cyberattacks.
Data processed: The data we will process for this purpose are:
- Identifying and contact details: full name, sex, telephone and email contact information, address of residence, nationality and date of birth, language choice, identification document.
- Contract data: products and services signed up for or requested.
- Basic financial data: payment history for products and services.
- Own browsing data: data obtained from your browsing of our websites or applications and your browsing history in these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, whether you have accepted the use of cookies and similar technologies on your browsing devices.
- Navigational details: data obtained from your browsing of third-party websites or applications and your browsing history in these websites: browsing history (pages visited and clicks on content), device ID, advertising ID, IP address, whether you have accepted the use of cookies and similar technologies on your browsing devices.
- Right to object to processing: Note that you have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in Section 4.
Data Controller: The data controller in this case is IMAGIN. This processing is not carried out as joint controllers.
B. Preparation of management reports and mathematical models.
IMAGIN's legitimate interest: IMAGIN's legitimate interest in carrying out this process is to design, organise and optimise its corporate and commercial activity as efficiently as possible, which requires having reports on the management and activity of the company and the market, as well as advanced information analysis mathematical algorithms.
Purpose: The purpose of this processing is to prepare reports on the company's activity and its relationship with the market, on the composition and evolution of its customer base and on the convenience and effectiveness of its products and services. These reports are used to manage said products/services and to create and maintain statistical and mathematical models that allow for the processing detailed in this policy to be carried out and that require advanced calculations and analysis of the information.
Data processed: The data we will process for this purpose is that which has been identified previously for each processing type. We will apply, whenever possible, anonymisation or pseudonymisation techniques to ensure that this processing does not have an impact on the rights of the data subjects, and that the result of the processing is reports with statistical or aggregated information, or mathematical or algorithmic formulas.
Other relevant information: The following section includes other relevant data processing information:
- Right to object to processing: Note that you have the right to object to processing based on a legitimate interest. You can do this simply and free of charge through the channels indicated in Section 4.
- Ancillary data processing: The processing of data to create statistical reports and mathematical models is not intended to process individual user data.
This data processing is necessary, but accessory, to the main purpose of preparing management reports, or algorithmic or mathematical formulas, and is thus carried out using, whenever possible, anonymising techniques or, failing that, pseudonymisation and minimising the information processed.
This processing has no effects or consequences on the individual data subject.
Data Controller: The data controller in this case is IMAGIN. This processing is not carried out as joint controllers.
7. DATA PROCESSING IN APPS INTENDED FOR MINORS (IMAGINKIDS KIDS AND IMAGINTEENS VERSION)
IMAGINKIDS (KIDS' VERSION)
ImaginKids (the kids' version) is an app intended for children under the age of 12, with content created (and checked by specialists in children's content) specifically for them, relating to good financial habits and education.
The child's legal guardian must validate their registration for the kids' version.
No data relating to the child will be requested or processed on ImaginKids (kids' version).
Details on data processing for ImaginKids can be found in the ImaginKids Privacy Policy published on Google Play and iTunes, in the app's Terms and Conditions, and in the My Profile section (if and when the ImaginKids app has been downloaded).
ImaginKids (kids' version) does not use any resources such as geolocation, nor does it process browsing data for user analysis or personalised advertising purposes.
IMAGINTEENS
ImaginTeens is an app designed for people over the age of 14 to introduce them to money management through their mobile.
The app obtains the following identifying details of minors: full name, date of birth, mobile phone number and email address.
If the child's legal guardian gives their authorisation, the minor can view all the products they own in the app (ImaginBank accounts and/or cards, and/or prepaid MoneyToPay cards) and carry out certain transactions from their mobile phone.
Details on data processing for ImaginTeens can be found in the ImaginKids Privacy Policy published on Google Play and iTunes, in the app's Terms and Conditions, and in the My Profile section (if and when the ImaginTeens app has been downloaded).
ImaginTeens does not use any resources such as geolocation, nor does it process browsing data for user analysis or personalised advertising purposes.
8. RECIPIENTS OF THE DATA
Data controller and joint data controllers
The data of yours that we process as an IMAGIN user we do so from IMAGIN. If data is processed by joint data controllers, it will be processed by CaixaBank Group companies in accordance with the previous processing sections.
Authorities or official bodies
IMAGIN may be legally required to provide information on transactions we carry out to authorities or official bodies in other countries located both within and outside the European Union.
Disclosure of data to outsourced service providers
Sometimes we use service providers with potential access to personal data.
Such providers grant an adequate, sufficient safeguarding service when it comes to processing your data, since we carefully screen service providers by including specific demands in the event that their services involve the need to process personal data.
The type of services we can assign to service providers is:
Financial back-office services
Administrative support services
Audit and consulting services
Marketing and advertising services
Survey services
Logistical services
Physical security services
Computer services (system and information security, cybersecurity, information systems, architecture, hosting, data processing)
Telecommunications services (voice and data)
Printing, enveloping, postal and courier services
Data storage and destruction services (digital and physical)
9. DATA STORAGE PERIODS
Storage for maintaining Contractual Relations
We will process your data as long as the Contractual Relations we have established remain in force.
Storage of authorisations for processing your data based on your consent (Imaginer Infinity user)
We will process the data based on your consent, until you revoke it.
If you cancel all your product and service contracts with the CaixaBank Group companies but do not withdraw the consent you have given us, we will automatically void said consent until you stop being our customer.
Storage to comply with legal obligations and to formulate, exercise and defend claims
Once the authorisation to use your data is revoked due to your withdrawal of your consent, or the contractual or business relationship established with us is over, we will only store your data to comply with legal obligations and to allow us to formulate, exercise or defend claims during the limitation period for actions resulting from this contractual relationship.
We will process this data by applying the technical and organisational measures required to guarantee that it is only used for these purposes.
Data destruction
We will destroy your data when the storage periods imposed by the regulations governing IMAGIN's activity have expired and the limitation periods for administrative or judicial actions arising from the relations established between you and us have elapsed.
10. DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA
EAt IMAGIN, we process your data within the European Economic Area and generally we have service providers located within the European Economic Area or in countries deemed to have an adequate level of data protection.
If we need to use service providers that carry out processing outside the European Economic Area or in countries not determined to have an adequate level of data protection, we will ensure that your data is processed in a secure and legitimate manner.
For this purpose, we require these service providers to apply suitable guarantees in accordance with the GDPR, such as binding corporate standards guaranteeing information protection in a similar way to European standards or to subscribe to the standard clauses of the European Union.
11. AUTOMATED DECISIONS
Section 6 of this Policy contains information on the type of processing that incorporates automated decision-making.
If during the Contractual Relationships you maintain with us, we adopt decisions that could establish legal effects for you or could significantly affect you (for example, to not allow you to take out a certain product) based solely and exclusively on automated processing (i.e., without the participation of a person), we will inform you of this, as well as of the logic through which we adopted it, in the contractual documentation of the product or service you have requested.
Moreover, at that time, we will also adopt measures to safeguard your rights and interests by giving you the right to human involvement, to express your views and to challenge the decision.
12. REVIEW
We will revise this Privacy Policy whenever necessary to keep you duly informed, for example, when publishing new standards or criteria or when we engage in new processing activities.
We will notify you through the usual communication channels whenever there are substantial or important changes to this privacy policy.