Skip to content

Privacy statement

This privacy statement will answer your most important questions about the relevant privacy aspects. If you have any questions -after reading our privacy statement- or wish to contact us about something else related to privacy aspects, you can do so via the contact details below. Please note that Cobase is the trading name of Financial Transaction Services B.V. known under Dutch Chamber of Commerce number 68914016.

COBASE
Margriet Toren, 5th floor
Haaksbergweg 75, 1101 BR Amsterdam ZO
client.service@cobase.com

Purpose of personal data

Cobase complies in all cases with the applicable laws and regulations, including the General Data Protection Regulation (GDPR, in Dutch the “Algemene Verordening Gegevensbescherming”, AVG).

We serve typically large and midsized corporate clients. Our clients appoint users to have access to our service via app and portal. We store personal data on these users.

The primary purpose of the (personal) data we store is executing the agreements with our clients. In practice this means the following:

  • Providing access and use of functionality for users on our portal and app;
  • Logging and auditing the history of payments, transaction and reporting and user activity (Cobase and designated users of the client only). The data will also be used in case of a legal dispute; and
  • Store data efficiently (e.g. transfer to an archive).

Additionally we use (personal) data to comply with the law and regulations such as the Dutch Financial Supervision Act (WFT) and Money Laundering and Terrorist Financing (Prevention) Act (Wwft), applicable local sanction and anti money laundering laws and the second Payment Services Directive, including the related Regulatory Technical Standards (RTS):

  • Register data to comply with legal obligations, for example for customer identification and verification purposes;
  • Implementation or verification of controls (e.g. internal audits or investigations); 
  • Dispute resolution or litigation; and
    • Sanction, Anti-Money Laundering and terrorism screening.

On top of this personal data can be used for the legitimate interests of our clients and Cobase itself, in which case we will always balance this with the interests of the people the personal data relate to:

  • Process the data for internal analysis and product/business development. This enables us to improve products and services we provide to our clients and prospects; and
  • Process data to safeguard the security of our clients and Cobase. This can include e.g. monitoring of IP addresses.

Where possible data will be anonymised for the above stated purposes. 

Cookie declaration

Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

You can at any time change or withdraw your consent from the cookie declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in this privacy statement.

Cookie overview:

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. 

__hs_opt_out

  • This cookie is used by the opt-in privacy policy to remember not to ask the visitor to accept cookies again.
  • This cookie is set when you give visitors the choice to opt out of cookies.
  • It contains the string "yes" or "no".
  • It expires in 13 months.

__hs_do_not_track

  • This cookie can be set to prevent the tracking code from sending any information to HubSpot.
  • It contains the string "yes".
  • It expires in 13 months.

__hs_initial_opt_in

  • This cookie is used to prevent the banner from always displaying when visitors are browsing in strict mode.
  • It contains the string "yes" or "no".
  • It expires in seven days.

__hs_cookie_cat_pref

  • This cookie is used to record the categories a visitor consented to.
  • It contains data on the consented categories.
  • It expires in 13 months.

hs_ab_test

  • This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before.
  • It contains the id of the A/B test page and the id of the variation that was chosen for the visitor.
  • It expires at the end of the session.

<id>_key

  • When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again.
  • The cookie name is unique for each password-protected page.
  • It contains an encrypted version of the password so future visits to the page will not require the password again.
  • It expires in 14 days.

hs-messages-is-open

  • This cookie is used to determine and save whether the chat widget is open for future visits.
  • It is set in your visitor's browser when they start a new chat, and resets to re-close the widget after 30 minutes of inactivity.
  • If your visitor manually closes the chat widget, it will prevent the widget from re-opening on subsequent page loads in that browser session for 30 minutes.
  • It contains a boolean value of True if present.
  • It expires in 30 minutes.

hs-messages-hide-welcome-message

  • This cookie is used to prevent the chat widget welcome message from appearing again for one day after it is dismissed.
  • It contains a boolean value of True or False.
  • It expires in one day. 

__hsmem

  • This cookie is set when visitors log in to a HubSpot-hosted site.
  • It contains encrypted data that identifies the membership user when they are currently logged in.
  • It expires in one year. 

hs-membership-csrf

  • This cookie is used to ensure that content membership logins cannot be forged.
  • It contains a random string of letters and numbers used to verify that a membership login is authentic.
  • It expires at the end of the session.

hs_langswitcher_choice

  • This cookie is used to save the visitor’s selected language choice when viewing pages in multiple languages.
  • It gets set when an end user selects a language from the language switcher and is used as a language preference to redirect them to sites in their chosen language in the future, if they are available.
  • It contains a colon delimited string with the ISO639 language code choice on the left and the top level private domain it applies to on the right. An example will be "EN-US:hubspot.com".
  • It expires in two years.

__cfruid

This cookie is set by HubSpot’s CDN provider because of their rate limiting policies. Learn more about Cloudflare acookies. It expires at the end of the session.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

__hstc

  • The main cookie for tracking visitors.
  • It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
  • It expires in 13 months.

hubspotutk

  • This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
  • It contains an opaque GUID to represent the current visitor.
  • It expires in 13 months.

__hssc

  • This cookie keeps track of sessions.
  • This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
  • It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
  • It expires in 30 minutes.

__hssrc

  • Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.
  • If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
  • It contains the value "1" when present.
  • It expires at the end of the session.

Analytics cookies 

These are non-essential cookies controlled by the cookie banner. You can opt out of these cookies by not giving consent.

__hstc

  • The main cookie for tracking visitors.
  • It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
  • It expires in 13 months.

hubspotutk

  • This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
  • It contains an opaque GUID to represent the current visitor.
  • It expires in 13 months.

__hssc

  • This cookie keeps track of sessions.
  • This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
  • It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
  • It expires in 30 minutes.

__hssrc

  • Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.
  • If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
  • It contains the value "1" when present.
  • It expires at the end of the session.

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Retention period

Cobase does not store personal data for longer than necessary for the purpose for which it was provided or is required by law. We assess how long the data is needed for the purpose for which it was collected or used.

Fraud and abuse

In the event of fraud or abuse Cobase may provide your personal data to the police and justice system. Cobase may also engage external experts who support us in security and enforcement of regulatory and company rules.

Personal data we store

We can use the following personal data:

  • Name;
  • ID number: In some countries it is a requirement to log this number for execution of payments;
  • Date of Birth: In some countries this is a requirement by law. We also use this data for identification purposes when we provide support;
  • IP address: we require this to be able to identify the visitors of our website which may be used for marketing and business development purposes;
  • Mobile phone number: We require this to be able to contact you in activation as well as for support purposes;
  • Mail address (professional): We require this to be able to contact you for support purposes;
  • Logs on actions user took on the Cobase portal/app; and
  • Personal data that are part of a payment (e.g. a salary payment).

Please note: as part of the identification and authorization in the Cobase app and portal we use devices with a camera to scan a visual code on the screen. The video taken by these cameras could accidentally include a person. These data are not stored or accessible by Cobase or other parties involved in the data processing.

Who has access to these data?

The intended parties who have access to these data are:

  • The client who has provided you with access. This typically relates to their user management, auditing, cash management and treasury operation and related risk management and auditing (the corporate administrator);
  • Cobase; and
  • Third parties in our processing (see below).

Third parties we use in processing

Third parties, acting as data processors (except SWIFT), can be involved in executing our obligations from the contract with the client. This means we may need to share personal data with them. All obligations from the client contract and this privacy statement have been enforced in these environments.

In case of legal, regulatory or fraud concerns personal data might be shared with external risk/legal fraud experts.

Furthermore we use the third parties mentioned in the cookie declaration paragraph for our website.

Geographical scope

For the purpose of data processing executed by Cobase, the data will remain in the EU or Switzerland (i.e. countries that have demonstrated to comply with the GDPR). Where transactions are executed to banks outside the EU, Cobase will only send transactions to such banks as directed by its clients.

Policy statements regarding privacy

When creating our policies and procedures we had the GDPR/AVG in mind. All our employees have signed a non-disclosure agreement. We have determined which employees require access to specific data and ensure this is enforced by our system.

Insight and changes to your personal data

The majority of the personal data we store for the users of our apps and portal can be reviewed in our portal in the heading "My profile". Correcting data is also possible in this screen. Please note that actions you took on the portal previously can not be changed.

Should you require insight through other means please contact the appropriate contact who manages the authorisations at your employer who required your access to our portal.

You should receive the insight into data within 1 month. In case the request is denied or delayed you will receive a specific reason and we will inform you how you can take steps in case you do not agree.

Complaints

Cobase sees the proper handling of (personal) data of the utmost importance.

Should you not be satisfied please contact our privacy officer via client.service@cobase.com. If we cannot find a solution with you, it is possible to log complaints with the applicable data protection authority. Complaints around the handling of your data by Cobase can be logged with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in The Hague.

Changes to this privacy statements

We reserve the right to change this privacy statement. In case you do not agree to changes you can require your corporate administrator to remove your access from the portal (please note that actions you took on the portal previously can not be changed).

Version

This privacy statement is version 1.4 finalised and published on September 2021.