Join usThis button will redirect you to our web registration, where you can sign up for a Tomorrow account.
Tomorrow
Join usThis button will redirect you to our web registration, where you can sign up for a Tomorrow account.

Privacy Policy

Tomorrow Mobile Banking App of Tomorrow GmbH

1. General information about the collection of personal data

You can obtain our “Tomorrow” mobile app by downloading it on to your mobile device from the Apple App Store or, for Android, from the Google Play Store. This Data Privacy Policy describes how Tomorrow GmbH (“Tomorrow,” “we,” “us” and “our”) protects your data and how your use of our Tomorrow app affects you, as well as how we use and protect the personal data we collect.

Personal data are all data which refer to you personally, including for example your form of address, name, address, e-mail address, IP address, etc. We only collect and process your personal data in compliance with the provisions of the EU General Data Protection Regulation (“GDPR”) and other provisions of European and applicable national data protection law.

Personal data are only collected and used with your consent or if the processing of such data is permitted by law. The following provisions provide information about the type, scope and purpose of the collection and processing of your personal data.

In the event that we make use of the services of commissioned service providers for the purpose of providing specific functions for our Tomorrow app or if we use your data for marketing or analysis purposes, we will also inform you in detail in the following about the action taken. We also provide information about the stipulated criteria for and the period of storage. We also inform you about your rights with regard to data processing.

We want you to know that we handle your data in a very trustworthy and confidential manner. We will disclose your data to third parties only where that is necessary to offer you our service. We are categorically opposed to the selling and vending of data.

This Data Privacy Policy relates exclusively to our Tomorrow app.

2. Contact details of the controller and Data Protection Officer

The controller responsible for data protection under the GDPR and all other applicable provisions of German and European data protection law is:

Tomorrow GmbH Karolinenstr. 9 20357 Hamburg Germany

E-mail: support@tomorrow.one

3. Data Protection Officer

Den Datenschutzbeauftragten erreichst Du wie folgt:

Niklas Hanitsch Franz-Mayer-Straße 1 93053 Regensburg Germany

E-mail: dsb@daten4.de

4. Notes on lawfulness and period of storage

If we obtain your consent to processing of your personal data, the legal basis for that is Article 6 (1) point (a) GDPR. You are entitled to withdraw any consent you have given at any time with effect for the future.

Under Article 6 (1) point (b) GDPR, the processing of your personal data is legitimate if such processing is necessary for the performance of a contract with you or your company. This also applies to all processing operations which are relevant prior to entering into a contract.

The legal basis for processing your personal data which is necessary for compliance with our legal obligations is Article 6 (1) point (c) GDPR.

Article 6 (1) point (f) GDPR is the legal basis for processing which is necessary to safeguard the legitimate interests pursued by our company or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

4.2 Period of storage and erasure of data

Any personal data which we collect, process and store will only ever be kept by us for as long as there is a specific purpose for such storage. Your data will be erased or its processing restricted as soon as the specific purpose for which they were stored no longer applies.

It is possible, however, that European regulations, applicable national laws or other rules may require that we store data which we have processed for a longer period of time. We will erase or restrict the processing of your data when these periods of storage have expired.

5. Your rights

For the purposes of the GDPR you are the “data subject” of any of your personal data which we process. As a data subject you have the following rights with regard to Tomorrow:

As the data subject you have the right under the law to access personal data and obtain information on it (Article 15 GDPR), to rectification of data (Article 16 GDPR), to erasure of data (Article 17 GDPR), to restriction of processing (Article 18 GDPR), to data portability (Article 20 GDPR), to withdraw your consent to data processing (Article 7 GDPR) and to lodge a complaint with a data protection supervisory authority (Article 77 GDPR).

You also have a RIGHT TO OBJECT:

You have the right to object at any time, based on Article 6 (1) point (f) GDPR, on grounds relating to your particular situation, to the processing of personal data concerning you (Article 21 (1) GDPR). Tomorrow may then no longer process the personal data concerning you unless Tomorrow demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If the personal data concerning you are processed for the purposes of engaging in direct marketing, you have the right to object at any time to the processing of your personal data for such advertising purposes (cf. Article 21 (2) GDPR). Please send your objection to us or our Data Protection Officer (see section 2 of this Data Privacy Policy).

6. Purpose of processing

We process your personal data for the purposes stated in this Data Privacy Policy or for purposes directly linked to the functioning of the Tomorrow app. The Tomorrow app is a digital account. Its main function is to enable users to see transactions (cash receipts and outpayments, in particular giro transfers and cash withdrawals). At the same time, you receive real-time feedback on account movements by means of push notifications. Outpayments are categorised automatically and the positive impact on the current account and your payments are shown on the Impact Board of the Tomorrow app. You can block and unblock your cards directly with the Tomorrow app. You can also use the Tomorrow app to define giro transfer and withdrawal limits and adapt them to suit the situation. If applicable, we offer to put you in touch with a depositary bank to enable you to invest your money using the Tomorrow app. We conduct registration processes on your behalf and take care of all correspondence. All in all, the Tomorrow app offers you extensive services in connection with bank transactions. Your data are processed primarily to perform the contract of use for the Tomorrow app. We therefore refer you to our General Terms and Conditions.

7. What data are processed when you download the Tomorrow app?

When you download the Tomorrow app, the information required for that is first transmitted to the Apple App Store or Google Play Store. This includes in particular your user name, your e-mail address and the customer number of your account, the time at which the Tomorrow app is downloaded, your payment information and your individual device number. We have no influence on the collection of these data. Responsibility is held solely by the app store.

Nonetheless, we point out that Apple Inc., 1 Infinite Loop, Cupertino, California, USA, 95014 (“Apple”) and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”) state that they take strict technical measures to protect your personal data. Apple and Google may disclose your personal data to third parties which offer Apple and Google products and services themselves or which support Apple’s and Google’s marketing to customers. Apple and Google may also pass on data to companies which provide services for Apple and Google. Apple and Google will also transmit the information to countries outside the European Economic Area (“EEA”). If Apple and Google send your data to the United States, for example, they both state that they take additional measures, such as concluding EU-compliant data transmission agreements with the data importer if this is necessary. The two companies are also subject to the EU-US Privacy Shield.

More information is available at: https://www.apple.com/legal/privacy/en-ww/ and https://policies.google.com/privacy?hl=en-GB&gl=de

8. What data are processed when the Tomorrow app is used?

When the Tomorrow app is used, Tomorrow itself collects the following personal data, for example, so as to provide the described mobile banking services:

8.1 Registration / creation of a user profile / master data

Before you can open an account using our Tomorrow app, you register with our Tomorrow app. You then create a user profile for yourself. We use those data to perform the contract concluded with you. As part of that, we may process the following data:

  1. Your first name and surname

  2. Your e-mail address

  3. Your mobile phone number

  4. Your address (street, number, postal code, city)

  5. Your nationality

  6. Your country of residence

  7. Your occupation

  8. Your date and place of birth

  9. Your gender of salutation

  10. Your country of tax liability

  11. Whether you are taxable in the USA

  12. Your tax number [optional]

  13. Your invitation code [optional]

  14. Your IBAN.

Only your name and IBAN are stored in the app itself. The other data are only stored on our Tomorrow servers, unless otherwise specified in this Data Privacy Policy.

8.3 Usage data processed by the Tomorrow app

When you are using the Tomorrow app, the Tomorrow app collects the following technical data such as:

  1. The device model you use

  2. The app version you use

  3. The operating software version (i.e. OS version) you use

  4. The mobile provider you use (if there are problems)

  5. Your IP address.

You can find more information on recording of usage data in sections 10 and 11.

8.4 Content data processed by the Tomorrow app

You can make various settings as part of using the Tomorrow app. We save these settings, which may reveal data about you. They include:

  • Your manual categorisation of deposits and outpayments

  • Specific deposits and outpayment limits

8.4 The VideoIdent verification process

a) The process

As you know, we cooperate with Solarisbank AG, with which you conclude a payment services framework agreement on our behalf. Under the German Money Laundering Act (“GwG”), our cooperation partner Solarisbank AG is obliged as a bank to check your identity and age when you open an account. The VideoIdent process is used to identify you on the basis of a valid ID document. During the process for registering to use our Tomorrow app, you are taken to the VideoIdent process by means of a link.

The actual process itself is conducted by the provider IDnow GmbH, Auenstraße 100, 80469 Munich, Germany (“IDnow”) on behalf of Solarisbank AG (commissioned data processing).

We send the data you furnish in the registration process to IDnow so that IDnow can verify that it is correct using the VideoIdent process. The legal basis for transferring the data in this step is Article 6 (1) point (b) GDPR, since the VideoIdent process is required so that we can provide you with the mobile banking services we offer.

A secure video connection is established between your mobile device and IDnow. You are required to permit IDnow to access the camera and microphone of your mobile phone temporarily. That means, for example, that the IDnow employee can see you with your mobile phone’s camera. You must then hold your ID document up to the camera so as to enable it to be checked and compared with the data you furnished during registration. Photos and, if applicable, video recordings of your ID document are created to prove that you conducted the process. Particular attention is paid to whether the ID document is intact, as well as to its authenticity and security features. You are also requested to read out your ID document’s number. Parts of the conversation are also recorded and stored for this purpose. When the check has been completed, the data are sent to Solarisbank AG. The ID document’s details relating to your height and eye colour are redacted by IDnow before they are passed on to Solarisbank AG.

Solarisbank AG bases its right to conduct the VideoIdent process primarily on Article 6 (1) point (c) GDPR with reference to its need to comply with the provisions of the German Money Laundering Act (GwG). The legal basis for processing of this data is also Article 6 (1) point (a) GDPR, provided you have given your consent to Solarisbank AG. The IDnow employee verifying your identity asks you at the beginning of the video conversation to give your consent to photos and videos being made of you and to their being processed. You may withdraw your consent at any time with effect for the future. Article 6 (1) point (b) GDPR is also relevant, since Solarisbank AG requires the data to conclude a payment services framework agreement with you. You can find out more about the VideoIdent process in the Privacy Policy of Solarisbank AG and in the Privacy Policy of IDnow.

b) Disclosure of the data from the VideoIdent process of Solarisbank AG to Tomorrow

In certain cases, Solarisbank AG discloses the data from the VideoIdent process to Tomorrow upon request. We may need your data, for example, to be able to provide you with our full contractual service. The legal basis for disclosing the data collected in the VideoIdent process is Article 6 (1) point (b) GDPR, since we need the data to fulfil the contract between you and us. We will erase the data if they are no longer needed for the purpose in question and if they are not subject to contractual or legal retention periods.

c) When using our Tomorrow-app, we offer you, for example, an investment service with custodian banks or other service providers. For this purpose we cooperate with various custodian banks where you can conclude custodian contracts or create a portfolio. If you use the service offered by us, we will pass on your stored data including your identification data to our cooperation banks. This saves you the need for further identification procedures, for example. The legal basis for the transfer of your personal data is your consent in accordance with article 6 paragraph 1 letter a GDPR. We will delete your data as long as we no longer need them for the purpose stated above and there are no legal retention period.

We currently work with the following third party suppliers:

WIWIN GmbH

We work together with Wiwin GmbH & Co. KG, Schneebergerhof 14, 67813 Gerbach (Wiwin). Wiwin is a contractually bound agent in the sense of § 2 Abs. 10 Kreditwesengesetz (KWG). Wiwin cooperates with Effecta GmbH, Am Sportplatz 13, 61197 Florstadt (Effecta). Further information on the processing of your personal data by Wiwin and Effecta can be found at https://www.wiwin.de/datenschutzerklaerung and https://www.effecta-gmbh.de/datenschutzerklaerung/.

8.5 Tomorrow IBAN scanner

To make the transfer process easier for you, we offer you the possibility to scan the e-mail address or IBAN of the recipient within our app. This way you don't have to type in the IBAN or the e-mail address manually when you want to make a bank transfer. There is the possibility to make a bank transfer using the e-mail address of recipients, if the recipient is also a customer of Tomorrow. During the scanning process we process the following personal data depending on the type of transfer:

  1. IBAN of the recipient

  2. E-mail address of the recipient

To use the scan function we use a Software Development Kit (SDK). This is a collection of programming tools and program libraries for developing software. Specifically, we use the Google Play Service "MLKIT" (Machine Learning Kit) from Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland ("Google").

Due to the specific nature of the implementation, no personal data will be disclosed to third parties.

The legal basis for the processing of your personal data and access to your camera is your consent according to art. 6 para. 1 sentence 1 a) of the GDPR.

You can revoke the Tomorrow app's access to the camera at any time in the settings of your smartphone or tablet. Please note that the use of the scan function requires access to the camera.

If we process the IBAN or the e-mail address of the recipient of the payment, art. 6 para. 1 sentence 1 f) GDPR constitutes our legal basis. Our legitimate interest is to simplify and optimise the payment process.

During the scanning process, we only extract the IBAN or the e-mail address. The scan itself is not stored. In this way we ensure that no other personal data is processed.

9. Push notifications

Our system is configured so that you receive push notifications from us. You can deactivate the relevant setting again in your device settings at any time. However, that means we will not be able to provide you with the entire service we offer.

If push notifications are enabled, a unique identification number of your mobile device (device ID/device token/registration ID) is communicated to the service that provides the push functionality from your operating system provider. That service returns an identifier (“push notification identifier”) that cannot be used to identify the device ID and so you as the user.

The data are only used to offer you the functions in the Tomorrow app. For example, you receive a notification in response to every account movement. The data are not passed on to third parties.

The legal basis for the above processing is Article 6 (1) point (b) GDPR, since the data are processed to perform a contract, in this case for the purpose of sending the push notifications in response to every single account movement. You can find more information about data protection at Apple and Google in section 7.

You can find further information on sending of push notifications by Google Firebase in section 10.

10. Google Firebase

Our Tomorrow app uses the Google Firebase technology from Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Firebase”). Where possible, Google Firebase uses servers located in the EEA for its services. However, it is not possible to rule out data being transferred to the USA. Google is subject to the EU-US Privacy Shield for that purpose.

We have also concluded a data processing agreement with Google containing standard contractual clauses, in which Google undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU. The legal basis for using this cloud service is our legitimate interest in accordance with Article 6 (1) point (f) GDPR, since processing of your data is protected under a data processing agreement.

More information on Google Firebase and data privacy is available at: https://firebase.google.com/terms/data-processingterms https://firebase.google.com/terms/ https://firebase.google.com/support/privacy/

You can prevent tracking by the Firebase services in the app by selecting the menu item “Datenschutz” (“Data privacy”) and setting the check mark for “Analytics deaktivieren” (“Disable analytics”). We use the following Firebase services:

Google Analytics for Firebase enables analysis of how our offering is used. Information on the use of our Tomorrow app is recorded, transferred to Google and stored there. Google uses the device’s advertising ID for that. Google will use the above information to analyse use of our Tomorrow app anonymously and to provide other services relating to use of apps. You can restrict use of the advertising ID in the device settings (iOS: Privacy / Advertising / Limit Ad Tracking; Android: Account / Google / Ads).

The legal basis for analysing usage behaviour is our legitimate interest in accordance with Article 6 (1) point (f) GDPR. Our interest in recording usage behaviour overrides your interests in protecting your data, since that allows us to keep on improving our app and we do not disclose the data to third parties who pursue their own interests with the data.

Firebase Cloud Messaging enables us to send push notifications or in-app messages, i.e. messages that are only displayed within the app. As part of that, the mobile device is assigned a pseudonymised push reference that is used to target the push notifications and in-app messages to a device. You can find more information on our push notifications in section 9.

Firebase Crashlytics helps improve the Tomorrow app and increase its stability. As part of it, information on the device used and use of our Tomorrow app is collected. That includes, for example, the times when the Tomorrow app is started and a crash occurs. That information allows us to diagnose and solve problems. The legal basis for using Crashlytics is Article 6 (1) point (f) GDPR as Tomorrow has a legitimate interest in processing of the data. We use the data on app crashes to be able to keep on improving our Tomorrow app.

11. Analysis of usage behaviour

We at Tomorrow work continuously to improve our app. The key basis for our decisions is knowing how our customers use our app. That is why we record usage behaviour by means of various services that enable us to look at our app from different perspectives. Apart from Google Analytics for Firebase (see section 9), we also use the service from Countly Ltd, 9th Floor, 107 Cheapside, London, EC2V 6DN, UK (“Countly”). Countly is an analytics service that takes data privacy very seriously.

The usage data we record is specified in section 7.2. As part of our analyses, we group the data in statistical form so that they no longer relate to an individual customer. Usage behaviour is recorded pursuant to our legitimate interest in accordance with Article 6 (1) point (f) GDPR. Our interest in recording usage behaviour overrides your interests in protecting your data, since that allows us to keep on improving our app and we do not disclose the data to third parties who pursue their own interests with the data.

The data are recorded and analysed on Countly servers. To enable that, we have concluded a data processing agreement with Countly containing standard contractual clauses, in which Countly undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU. The standard contractual clauses are necessary for after the United Kingdom leaves the European Union. You can find more information about data protection at Countly. You can prevent tracking in the app by selecting the menu item “Datenschutz” (“Data privacy”) and setting the check mark for “Analytics deaktivieren” (“Disable analytics”).

12. Measurement of marketing success

It is important for Tomorrow as an aspiring company to know which of our marketing measures were successful. Only on the basis of that knowledge can we assess what advertising measures on behalf of Tomorrow we should continue to invest in. In order to be able to measure the success of our advertising on smartphones, we cooperate with Adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin, Germany (“Adjust”). Adjust cooperates with a large number of partners and so can document the customer journey from when an ad is shown on a smartphone to installation of the Tomorrow app. Adjust recognises Tomorrow’s advertising as part of that. In addition, Adjust recognises your device from its individual device ID the provider of the operating system assigns to your device. Your device ID is assigned to your device by Google for Android and by Apple for iOS. You can prevent disclosure of this ID in your device’s settings and so prevent Adjust and us from recognising you (iOS: Privacy / Advertising / Limit Ad Tracking; Android: Account / Google / Ads). If you do not wish to suppress the ID in general, but only for the service provider Adjust, you can enter the ID on the following site of Adjust and so block tracking by Adjust alone

The legal basis for tracking the (online) journey users take with their device to reach the client’s app is our legitimate interest in accordance with Article 6 (1) point (f) GDPR. Our interest in measuring the success of our marketing measures overrides your interests in protecting your data, since we can combat ad fraud in this way and you can prevent recording of your data at any time.

To enable processing of the data, we have concluded a data processing agreement with Adjust, in which Adjust undertakes to process user data only in accordance with our instructions and to comply with data protection law.

The legal basis for using this cloud service is our legitimate interest in accordance with Article 6 (1) point (f) GDPR, since processing of your data is protected under a data processing agreement. You can find more information about data protection at Adjust here.

13. Confirmation e-mail

If you register to open an account in the Tomorrow app using your e-mail address, we send you an e-mail containing a confirmation link to the e-mail address you have specified. By opening this link, you confirm that you are the owner of the specified e-mail address and that an unauthorised person is not misusing your e-mail address. As part of this confirmation process, we process your e-mail address, the time our confirmation e-mail was sent and you opened the confirmation link, and your IP address as a further identifying feature. The legal basis for this confirmation process is the preparation necessary for the performance of a contract in accordance with Article 6 (1) point (b) GDPR, since such a screening procedure is necessary before a contract can be concluded.

We use the cloud service from SendGrid Inc., 1801 California Street, 1801 California St, Denver, CO 80202, USA (“SendGrid”) for sending out the confirmation mail automatically. SendGrid is subject to the EU-US Privacy Shield for that purpose.

We have also concluded a data processing agreement with SendGrid containing standard contractual clauses, in which SendGrid undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU.

The legal basis for using this cloud service is our legitimate interest in accordance with Article 6 (1) point (f) GDPR, since processing of your data is protected under a data processing agreement. You can find more information about data protection at SendGrid here.

14. Newsletter

You can subscribe to a free newsletter in the Tomorrow app. If you consent to receiving the newsletter, we inform you in it about the latest mobile banking services, our new Tomorrow offerings and our services related to offerings from our cooperation partners (Solarisbank AG/depositary banks) and on new features of the Tomorrow app. The data you enter when subscribing to the newsletter are transmitted to us. They usually include:

  • Your e-mail address

We need your e-mail address in order to send you the newsletter, as well as to identify you and check that you have given your consent.

We use the double opt-in procedure when you subscribe to our newsletter. This means that, after you have subscribed to it, we will send an e-mail to the e-mail address given by you asking you to confirm that you wish to receive the Tomorrow app newsletter. If you do not confirm your subscription within one month, your data will be automatically erased. After receiving your confirmation, we store your e-mail address and the other details for the purpose of sending the newsletter. The legal basis for that is Article 6 (1) point (a) GDPR.

We also store your IP addresses and the times of your subscription and confirmation. The purpose of this procedure is to demonstrate that you have subscribed and to clarify any possible misuse of your personal data. The legal basis for that is Article 6 (1) point (f) GDPR.

We erase your data as soon as you or we have ended the subscription for the newsletter. You can cancel the newsletter subscription at any time by withdrawing your consent with effect for the future. There is a link in every newsletter sent to you which you can click to automatically unsubscribe. Alternatively, you can send an e-mail to support@tomorrow.one or a message to the controller or Data Protection Officer referred to above in this Data Privacy Policy.

We use the cloud technology Freshsales from Freshworks Inc., 2950 S. Delaware Street, Suite 201, San Mateo CA 94403, USA (“Freshworks”) to send our newsletter. We store the data from your subscription to our newsletter and compile the mailing lists for our individual newsletters in Freshsales.

Freshworks is subject to the EU-US Privacy Shield for that purpose. We have also concluded a data processing agreement with Freshworks containing standard contractual clauses, in which Freshworks undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU.

The legal basis for using this cloud service is our legitimate interest in accordance with Article 6 (1) point (f) GDPR, since processing of your data is protected under a data processing agreement. You can find more information on the subject of Freshworks and data privacy here.

Our newsletters are sent using e-mail accounts operated on Google servers. Google can be reached at Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Where possible, Google uses servers located in the EEA for our e-mail accounts. However, it is not possible to rule out data being transferred to the USA. Google is subject to the EU-US Privacy Shield for that purpose.

We have also concluded a data processing agreement with Google containing standard contractual clauses, in which Google undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU. The legal basis for using this cloud service is our legitimate interest in accordance with Article 6 (1) point (f) GDPR, since processing of your data is protected under a data processing agreement.

You can find more information about data protection at Google here.

15. Contacting Tomorrow

15.1. E-mail

In our Tomorrow app, you can find our contact e-mail address, which you can use to get in touch with us. If you write an e-mail to us, we will store your e-mail address and other data which you have provided.

The legal basis for processing is Article 6 (1) point (b) GDPR, provided the contact relates to steps prior to entering into a contract or contract-related matters. Tomorrow also has a legitimate interest in processing your data pursuant to Article 6 (1) point (f) GDPR for the purpose of replying to your inquiry. The data are erased as soon as they are no longer required for the purpose for which they have been collected and provided that they are not subject to any legal or contractual archiving obligations. The conversation is ended when it can be inferred from the circumstances that the issue in question has been conclusively clarified.

The following data are also stored at the time you send your message: •

  • Your IP address

  • The date and time at which you made contact

  • Your browser’s language settings

  • If applicable, your Facebook profile URL or Twitter profile URL, if you have such accounts, and they are linked publicly with your e-mail account.

The legal basis for processing of the data is Article 6 (1) point (f) GDPR. Other personal data processed during transmission are used to prevent the e-mail from being misused and to ensure the security of our information technology systems. Processing the data also means we can reply to you directly in your language and offer you a better service. Other personal data collected during transmission will be erased after a period of seven days at the latest. The data are used exclusively to process the conversation.

We use e-mail accounts operated on Google servers to send and receive e-mails. Google can be reached at Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google stores our e-mail accounts on servers in the EU. Under the US CLOUD Act, data on European servers of U.S. companies, in particular Google, can also be accessed by the U.S. authorities, which means that Google Ireland Ltd must be treated as a U.S. company for the purposes of data protection.

Google LLC, the parent company of Google Ireland Ltd, is subject to the EU-US Privacy Shield for that purpose. We have also concluded a data processing agreement with Google containing standard contractual clauses, in which Google undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU. The legal basis for using this cloud service is our legitimate interest in accordance with Article 6 (1) point (f) GDPR, since processing of your data is protected under a data processing agreement. You can find more information about data protection at Google.

15.2. Contact via Freshchat

We also use the chat system Freshchat. The provider of this system is Freshworks Inc., 2950 S. Delaware Street, Suite 201, San Mateo CA 94403, USA (“Freshworks”). The purpose of Freshchat is to enable communication between you and Tomorrow in the form of a live chat.

When Freshchat is used, the data you furnish are transmitted to Freshworks and stored on its servers in the USA. Freshworks also transmits these data to external service providers so as to be able to offer Freshchat’s services. Freshworks is subject to the EU-US Privacy Shield for that purpose. We have also concluded a data processing agreement with Freshworks containing standard contractual clauses, in which Freshworks undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU.

The legal basis for the above data processing is Article 6 (1) points (b) and (f) GDPR. The data are processed to enable your inquiries to be examined and answered, in particular also as part of steps prior to entering into a contract. We have a legitimate interest in such data processing so as to be able to offer direct and efficient communication with customers and design our app to suit needs.

Your data are erased as soon as the inquiry in question has been dealt with and if they are not subject to legal retention periods. You can find more information on the subject of Freshworks and data privacy here.

15.3. Contact via BotSupply

We also use the chat system BotSupply. The provider of this system is BotSupply IVS, Solbakken 22, 2840 Holte, Denmark (“BotSupply”). The purpose of BotSupply is to enable communication between you and Tomorrow in the form of a chat.

When BotSupply is used, the data you furnish in the chat are transmitted to BotSupply and stored on its servers in the European Union. We have concluded a data processing agreement with BotSupply, in which BotSupply undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU.

The legal basis for the above data processing is Article 6 (1) points (b) and (f) GDPR. The data are processed to enable your inquiries to be examined and answered, in particular also as part of steps prior to entering into a contract. We have a legitimate interest in such data processing so as to be able to offer direct and efficient communication with customers and design our app to suit needs.

Your data are stored temporarily so that they can be used to improve the service. Individual chat threads are examined to ascertain whether the chat system has identified and responded to the inquiries appropriately. The data are then erased as soon as the inquiry in question has been dealt with and if they are not subject to legal retention periods. The legal basis for the above-described processing of data is either Article 6 (1) point (f) GDPR or – if we have obtained your consent – Article 6 (1) point (a) GDPR.

16. Account switch service

Recipient finleap connect GmbH Gaussstrasse 190c 22765 Hamburg Germany

Description and purpose of processing We offer an integrated account change service provided by finleap connect, which helps you to move your current account to Tomorrow. If you use this service, we will process the following personal data:

Processed data

  • Name

  • Address

  • Date of birth

  • IBAN

Legal basis Performance of a contract and data processing prior to entering into a contract (Art. 6 para. 1 S. 1 lit b GDPR). Privacy Policy For further information please see the privacy policy of finleap.

17. Are your personal data passed on to third parties?

17.1. General information

As a rule, we will only pass on your personal data in compliance with the applicable data protection laws to service providers, business partners and other third parties, where that is necessary to provide our services.

We may disclose personal data to service providers working on our behalf and require them to process data in our name (commissioned data processing). In this context we comply with stringent applicable national and European data protection regulations.

We may also disclose personal data to other third parties if we are required to do so by law or in legal proceedings or in order to offer and manage our Tomorrow app. We may also be required to provide information to law enforcement agencies or other public authorities. We are also authorised to divulge data if the disclosure of information is necessary for the purposes of collaboration and thus of providing services of the Tomorrow app to you or if you declare your consent to such disclosure.

17.2 Agreement with Solarisbank AG on joint responsibility in accordance with Article 26 GDPR

As previously stated, we work closely with our cooperation partner Solarisbank AG. Solarisbank AG can be reached at Solarisbank AG, Anna-Louisa-Karsch-Straße 2, 10178 Berlin, Germany. All the data which we collect from you as part of registration to use the Tomorrow app and which are also used to perform the customer agreement with Solarisbank AG are passed on by us to Solarisbank AG.

The legal basis for passing on the data is Article 6 (1) point (b) GDPR, since Solarisbank AG requires your data to fulfil the customer contract (payment services framework agreement) concluded with you. Performance of the customer contracts by Solarisbank AG on our behalf is essential so that we can fulfil our contract with you relating to management of your account with the Tomorrow app. At the same time, Solarisbank AG has a legitimate interest in processing the data so that it can fulfil the contract with you. Consequently, the legal basis is likewise Article 6 (1) point (f) GDPR.

Solarisbank AG and Tomorrow jointly define the purposes and means of processing data for certain processing operations. As part of that, we have concluded an agreement with Solarisbank AG on joint responsibility for data processing within the meaning of Article 26 GDPR. Among other things, it specifies that you can assert all rights relating to processing of your data against us and Solarisbank AG. You can find information on data processing by our cooperation partner Solarisbank AG here.

17.3 Other banks

As part of the use of our app, we offer you various banking services and services from banks. We cooperate with various banks to do so. If you make use of the service we offer, we will pass on the master data you have stored, including your identification data, to the banks we cooperate with, where that is necessary. That eliminates the need for you to have to verify your identity again, for example.

The legal basis for this processing is Article 6 (1) point (b) GDPR. We process your data in order to fulfil the contract with you. In addition, the banks have a legitimate interest in meeting their obligations under the German Money Laundering Act (GwG) without the need to verify your identity again.

We erase your data as soon as we no longer need them for the above purpose and if they are not subject to legal retention periods.

17.4. Technical delivery of the Tomorrow app services

Our Tomorrow app – and so your user account – is administered and supported by our technical service providers. They also adopt stringent technical measures to protect your personal data. Our service providers do not pass on your personal data to third parties unless this is necessary in order to perform the agreed services or if our service providers are required to do so by law or to comply with a valid and mandatory instruction issued by a government or regulatory authority. The data provided for this purpose are kept to a minimum.

The legal basis for processing of your data by our service providers is Article 6 (1) point (f) GDPR. We have a legitimate interest in using the technical support and services of our service providers. We erase your data as soon as they are no longer needed to achieve their intended purpose and if they are not subject to legal retention periods.

17.5. Hosting

Amazon Web Services: Our Tomorrow app – and so your user account – is hosted by Amazon Web Services Inc., 410 Terry Avenue North, Seattle WA 98109, United States (referred to in the following as “Amazon”) on servers in Germany. We have concluded a data processing agreement with Amazon containing standard contractual clauses, in which Amazon undertakes to process user data only in accordance with our instructions and to comply with a level of data protection commensurate to that in the EU. Amazon adopts stringent technical measures to protect your personal data. Amazon does not pass on your personal data to third parties unless this is necessary in order to perform the agreed services or if Amazon is required to do so by law or to comply with a valid and mandatory instruction issued by a government or regulatory authority. The data provided for this purpose are kept to a minimum.

In some circumstances, Amazon may also store the information in countries outside the European Economic Area. Amazon will, however, take the necessary steps to ensure that an appropriate level of data protection is maintained. Amazon participates in the EU-US Privacy Shield Framework, if your data are transferred to the USA.

The legal basis for processing is Article 6 (1) point (f) GDPR. We have a legitimate interest in using servers of a processor. We erase your data as soon as they are no longer needed to achieve their intended purpose and if they are not subject to legal retention periods.

More information from Amazon about data protection is available here.

Hetzner Cloud: Alongside Amazon Web Services, we use the further hosting service Hetzner Cloud as a backup. The Hetzner Cloud is a hosting service from Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (referred to in the following as “Hetzner”), which has servers in Germany and Finland. We have concluded a data processing agreement with Hetzner. Hetzner also adopts stringent technical measures to protect your personal data. Hetzner does not pass on your personal data to third parties unless this is necessary in order to perform the agreed services or if Hetzner is required to do so by law or to comply with a valid and mandatory instruction issued by a government or regulatory authority. The data provided for this purpose are kept to a minimum.

The legal basis for processing is Article 6 (1) point (f) GDPR. We have a legitimate interest in using servers of a processor. We erase your data as soon as they are no longer needed to achieve their intended purpose and if they are not subject to legal retention periods.

More information from Hetzner about data protection is available here.

18. Security standards

We have implemented the latest technical measures to protect your personal data, including in particular against accidental or intentional manipulation, loss, destruction or access by unauthorised persons. These security measures will be adapted in line with the current state of the art. Personal data are only ever transmitted in encrypted form between your mobile equipment and our server (Secure Sockets Layer (SSL) method).

19. Changes to this policy

We may update this Data Privacy Policy from time to time. We therefore recommend that you regularly read this Data Privacy Policy to ensure that you are familiar with our data protection practice. This Data Privacy Policy was last updated on 16 October 2019.