UK
Leveraging PSD2
Account Aggregation - AISP
Dive deeper into transactional data and create value-added services
Fabrick Pay by Bank
Accept A2A payments with the Fabrick licence
Bank coverage via API
Discover all of our connected banks
Mastering end-to-end payments
Fabrick Payment Orchestra
Enhance your payment management system and your information flows
Fabrick Payment Gateway (Ecommerce)
Accept payments on your website and app
Fabrick Advice
Leveraging SCA exemptions with real-time risk analysis
Fabrick Guaranteed payments
Secure payments with post-authorisation fraud checks and chargeback guarantee
Fabrick Payment Facilitator
Get pre-reconciled credits directly into your account
Fabrick Financial Split Payments
Optimize incoming payment collection and splitting among all stakeholders
Unlocking banking services for businesses
Lending Place
Offer quick and easy loans
Fabrick Smart Banking
Create a customised app where digital payment services can be integrated
Industry
Banking and Financial Services
Fashion
Fintech
Ho.Re.Ca.
Insurance
Automotive
Customer stories
Insights
Articles
Whitepapers
Developers
Our APIs
Fabrick Producers
TPP Portal
Login Consumer Portal Fabrick
Corporate
Fabrick ecosystem
Our history
Our mission
Management Team
The Open Finance platform
Fabrick People
Our team
Why Fabrick
Career opportunities
Media Hub
Press releases
Press review
Events
Media kit
Privacy PolicyPrivacy EU Clients

Information on personal data processing

EU CLIENTS

Version 2Last update on 03/2026

Pursuant to Articles 13 and 14 of the EU Regulation 2016/679 (hereinafter, the "Regulation"), known as GDPR, Fabrick S.p.A. (hereinafter, the "Data Controller"), provides you with the following information on the characteristics of the processing it carries out on your personal data.

1) Who is the Data Controller?

The Data Controller of Your personal data is Fabrick S.p.A. with head office in Biella (BI) - 13900, Piazza Gaudenzio Sella, 1.

2) How can the Data Protection Officer be contacted?

The Data Protection Officer (hereinafter also “DPO - Data Protection Officer") may be contacted at the following addresses:

  • Postal address: Piazza Gaudenzio Sella No. 1, 13900 Biella (BI) - DPO
  • E-mail address: privacy@fabrick.com

3) What categories of personal data are processed and what are the sources of the data?

The processing relates to your personal data belonging to the categories listed below, in your capacity as:

  1. client (or legal representative of the company or owner of the sole proprietorship or freelancer) with reference to the following categories of data:
    • personal, contact and contractual data (e.g. name, surname, gender, date and place of birth, address of residence/domicile, identity document, tax code, email, certified email, telephone number, educational qualifications, registered office, VAT number, profession, sector of reference, website, credentials for access to the company's services and products);
    • data revealing the economic situation (e.g. banking data depending on the method of payment, data relating to payment transactions, annual revenue);
    • multimedia data (e.g. recordings of telephone calls and chats in the case of customer support, username, access logs to the Controller's systems).
    In the event of subscription of the services provided by the Data Controller as a Payment Institution authorised by the Bank of Italy, the Data Controller may be required to carry out customer due diligence and the additional checks required by the current legislation on the prevention of the use of the financial system for money laundering and terrorism purposes (hereinafter, the “Anti-Money Laundering Regulations"). Therefore, in this case, the following additional categories of personal data will also be collected:
    • socio-demographic data (e.g. data relating to income, profession, assets);
    • public context information (e.g. exercise of public or political functions, inclusion in blacklists and/or watchlists);
    • information relating to the overall transaction (for example, information relating to payment transactions);
    • personal, contact and contractual data of the ultimate beneficiary (e.g. name, surname, tax number, date and place of birth, domicile/residence address, identity document);
    • in the event of identity verification by means of an identity document, data belonging to special categories and, specifically, biometric data (images of identification documents and images collected through video-selfie).
    It is further specified that, when subscribing to the Fabrick Account-To-Account Service, customer due diligence information will be shared with or transferred to Token.io Limited, a company with its registered office at 10 John Street, London WC1N 2EB, United Kingdom (hereinafter “Token.io"), which is required to carry out the above verifications.
  2. employees or collaborators of the client, as the contact person for specific activities (e.g. administrative contact person, technical contact person) or because they are registered as a user in the Controller's systems (e.g. dashboard), with reference to the following categories of data:
    • personal, contact and contractual data (such as: name, surname and tax code, e-mail address, telephone number, username);
    • multimedia data (such as: system access logs).
    The aforementioned data are personally provided by you to the Data Controller in the course of the conclusion of the contract or subsequently and - where provided for - in the course of the verifications carried out by the Data Controller in compliance with the anti-money laundering regulations or which become known in the course of such verifications, including during the course of the relationship.

4) On what legal basis and for what purposes does the Data Controller process your personal data?

The processing of your personal data is carried out by the Data Controller in order to:

  1. manage the onboarding process of the customer, provide the authorizations to use the services and operate on the dashboard provided to the customer, sign in the contract and manage the relationship, guarantee everything necessary for its execution, as well as provide assistance, by telephone or chat, even during the signing phase.
    2. The processing referred to in letter a) is carried out as necessary for the execution of the contract or pre-contractual measures taken at your request, pursuant to art. 6 par. 1 lett. b) of the Regulation. The provision of data is necessary, failure to communicate one or more data will make it impossible to establish the relationship.
  2. comply with the obligations provided for by law and in particular, by way of example but not limited to, obligations in the field of Anti-Money Laundering – where applicable – accounting, tax, complaints and dispute management.
    3. The processing referred to in letter b) is carried out in compliance with the legal obligations to which the Data Controller is subject, pursuant to art. 6, par. 1, lett. c), of the Regulation. The provision of data is obligatory, the failure to provide one or more data will not allow the establishment of the relationship as any refusal would not allow the Data Controller to comply with its legal obligations.
    With particular reference to the obligations arising from the Anti-Money Laundering Regulations, where you choose to verify your identity by means of document verification using biometric technologies – namely, the analysis of the correspondence between the identity document and the image of your face collected through video-selfie – the processing of personal data will be carried out as it is necessary for reasons of substantial public interest on the basis of European Union or Member State law, pursuant to art. 9, par. 2, lett. g) of the Regulation. We inform you, in any case, that it is possible to use alternative identification methods that do not involve the processing of data belonging to special categories, such as, for example, SPID or home banking.
  3. carry out the following marketing activities:
    • measuring the level of customer satisfaction with the quality of the services provided;
    • carrying out studies and market research;
    • developing and selling its own services and/or those of companies in the Sella Group and/or of third parties, using methods including the sending of informative, promotional and commercial communications (activities that may be carried out through emails, SMS, push notifications, paper mail, telephone with the operator and social networks).
    The processing referred to in letter c), is carried out with your specific and optional consent pursuant to art. 6, par. 1, lett. a), of the Regulation. The provision of your personal data for the aforementioned purposes is optional and does not affect the use of the products and/or services offered by the Data Controller or the establishment of the relationship. The consent, if given, may be revoked at any time in the manner indicated in the "What are your rights?" section or by using the unsubscribe option at the bottom of e-mail communications. With particular reference to the sending of e-mail communications relating to products or services similar to those purchased by you, we remind you that the Data Controller may process the data relating to the e-mail addresses provided by you in the contractual context for the purposes of Soft Spam, even without your consent, pursuant to art. 130, par. 4, of Legislative Decree no. 196/2003 ("Privacy Code"), and if you do not object to such processing, either immediately or subsequently, by notifying the Data Controller in the manner indicated below in the section entitled "What are your rights?" or by using the unsubscribe option at the bottom of the e-mail.
  4. carry out the quality checks of telephone calls by listening to the relevant recordings;
  5. perform, in aggregate form, qualitative and quantitative analysis of trends, in order to improve risk management, business strategies and processes, and to organise the business activities necessary for the development of products and services;;
  6. where the services so provides, prevent payment fraud;;
  7. manage any judicial and extrajudicial litigation.
In relation to the purposes, d), e), f) and g) the legal basis that legitimizes the processing is the legitimate interest of the Data Controller to improve business strategies and processes and organize business activities for the development of products and services, protect itself and users of payment services from any fraud, defend itself in court and/or out of court. The provision of your personal data for these purposes is necessary, as any refusal would not allow you to use the products and/or services offered by the Data Controller.

5) To whom may the personal data be disclosed?

Your personal data may be known by the Data Controller's personnel authorised to process it due to the performance of their work duties or by persons acting as data processors – specifically appointed pursuant to art. 28 of the Regulation – or as independent data controllers. The different categories of recipients are described below:

  • public entities in the context of legally required communications, authorities and supervisory bodies (e.g. Bank of Italy, FIU, Judicial Authority);
  • in the case of subscription to the Fabrick Account-To-Account Service, to the company Token.io;
  • companies involved in the execution of payment transactions (so-called ‘acquirer’);
  • persons that audit and certify the financial statements of the Data Controller;
  • companies providing fraud prevention services;
  • archive established at the Ministry of Economic Affairs and Finance pursuant to Legislative Decree no. 141 of 13 August 2010, for the purpose of preventing identity theft;
  • companies that provide the technological infrastructure for the provision of services or for customer registration, as well as support and maintenance activities;
  • companies that may be involved in the fulfilment of obligations under Anti-Money Laundering regulations;
  • companies that support customer service activities;
  • providers of advanced electronic signature services (FEA);
  • providers of digital identities that allow identification via SPID;
  • providers of digital identity verification services using biometric technologies;
  • providers of alternative payment instruments;
  • marketing and market research companies that assist the Data Controller;
  • third party companies that assist the Data Controller in the development and improvement of services;
  • companies that provide Customer Relationship Management (CRM) software;
  • companies that manage credit recovery or provide professional tax and legal advice and assistance or investigative activities in the event of breach of contract.

6) Can your personal data be transferred to countries outside the European Economic Area?

For the pursuit of the aforementioned purposes, the Data Controller may transfer your personal data outside the European Economic Area (for example, in the United States and India). The transfer will only take place to third countries that have been recognized by the European Commission as providing an adequate level of protection or where adequate safeguards are in place, such as, for example, the standard contractual clauses adopted by the European Commission, or the specific exceptions provided for by the Regulation.

7) How long will your personal data be stored?

The processing will have a duration necessary for the pursuit of the purposes listed above, for which the data were collected and/or provided. In particular, the data will be processed and kept for the entire duration of the contractual relationship and subsequently stored in compliance with the terms provided for by the reference legislation (e.g. accounting and tax).

Furthermore, in the case of:

  1. chat support service, the data collected will be retained for one year, stating that controls have been implemented as part of this service to automatically identify and anonymize certain categories of personal data (e.g. IBAN, credit card number), when provided voluntarily by you, and that they will therefore not be retained.
  2. If the contract is not concluded, the data collected as part of the identification and onboarding process will be retained for one year from the date of collection, unless there are additional retention obligations;
  3. in the case of subscription to services provided as a Payment Institution, in accordance with the applicable provisions on the retention and provision of documents, data and information for the purposes of combating money laundering and the financing of terrorism, the data will be retained:
    • in the case of an ongoing relationship, for ten years after the termination of the relationship;
    • in the case of an occasional transaction, for ten years after the transaction itself;
    • in the case of a suspicious transaction report, for ten years after the report is made.

At the end of the retention period, personal data will be deleted or kept in a form that does not allow their identification, unless their processing is necessary for one or more of the following purposes:

  • resolution of pre-litigation and/or litigation initiated before the end of the retention period;
  • follow-up of investigations/inspections by internal control functions and/or external authorities initiated before the end of the retention period;
  • follow-up of requests from Italian and/or foreign public authorities received/notified to the Data Controller before the end of the retention period.

8) What are your rights?

We inform you that you, as the data subject, may exercise the following rights regarding the processing of your personal data:

  1. right of access: right to obtain from the Data Controller confirmation that a processing of your personal data is or is not in progress and, in this case, to obtain access to them (unless this affects the rights of others);
  2. right of rectification: right to obtain from the Data Controller the rectification of your inaccurate personal data without undue delay, as well as the integration of incomplete personal data, including by providing a supplementary declaration;
  3. right to erasure ('right to be forgotten'): the right to obtain from the Data Controller the erasure of your personal data without undue delay. The Controller is obliged to carry out such deletion if, for example, but not limited to:
    • your personal data are no longer necessary in relation to the purpose of the processing;
    • the consent on which the processing is based is withdrawn and there is no other legal basis for the processing;
    • your personal data have been processed unlawfully;
    • your personal data must be deleted in order to comply with a legal obligation
  4. right to restriction of processing: right to obtain restriction of processing from the Data Controller. The Data Controller has the obligation to proceed with the aforementioned limitation if:
    • the accuracy of your personal data is disputed (for the period necessary for the Data Controller to verify the accuracy of such personal data);
    • the processing is unlawful and you have objected to the deletion of your personal data and requested its limitation;
    • personal data (although no longer necessary for the purposes of processing) are necessary for you to ascertain, exercise or defend a right in court;
    • checks are underway on the possible prevalence of the Data Controller's interests if you have exercised the right to object set out below;
  5. right to data portability: right to receive your personal data in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller, only in cases where the processing is based on consent or contract and only for data processed by electronic means;
  6. right to object to processing: for reasons related to your particular situation, you have the right to object at any time to the processing of personal data whose legal basis is a legitimate interest of the Data Controller, unless the Data Controller demonstrates the existence of compelling legitimate reasons to proceed with the processing that prevail over your interests, rights and freedoms or for the establishment, exercise or defence of a right in court. In addition, you may object at any time to the processing of your personal data for direct marketing purposes, including profiling to the extent that it is connected to such direct marketing;
  7. right to withdraw consent: you may manage and/or revoke at any time the consent you may have given to specific activities (by way of example and not limited to: marketing and/or profiling), without prejudice to the lawfulness of the processing carried out prior to the revocation;
  8. right to lodge a complaint with a Supervisory Authority: without prejudice to any other administrative or judicial appeal, if you consider that the processing concerning you violates the Regulation, you have the right to lodge a complaint with the Supervisory Authority of the Member State in which you usually reside or work, or of the State in which the alleged violation occurred.

To exercise the above rights, you can send a request to the following addresses:

The Data Controller will provide information on the action taken in response to the specific request without undue delay and at the latest within one month of receipt of the request.

In any case, you can contact the Data Controller and/or the DPO at the addresses indicated above if you want more details and/or need clarification regarding the processing of your personal data.

If the exercise of the rights listed above may result in an effective and concrete prejudice to the interests protected pursuant to the Anti-Money Laundering Regulations, pursuant to art. 2-undecies of the Privacy Code, the scope of these rights and certain related obligations of the Data Controller may be limited. In such circumstances, the exercise of the same rights may be delayed, limited or excluded, for the time and to the extent that this constitutes a necessary and proportionate measure. If the conditions are met, a reasoned communication will be sent to you without delay.