Privacy policy

Privacy Policy – Savio.money

Effective: [14.10.2025]    •    Last updated: [14.10.2025]

1) Who we are and our roles

Savio Payment OÜ, Harju maakond, Tallinn, Kesklinna linnaosa, Vesivärava tn 50-310, 10152, Estonia (“Savio”).

Savio provides the Savio.money website and app as an interface to payment services delivered by QUICKO. Savio does not hold a financial services licence, does not open or operate payment accounts, and does not issue cards.

For website/app operations (hosting, communications, analytics, security), Savio acts as a data controller. For regulated processes (onboarding KYC/AML, account opening/servicing, transfers, card issuing/servicing), QUICKO is the data controller and Savio acts as QUICKO’s processor.

Quicko Sp. z o.o., ul. Sienkiewicza 49, 42-600 Tarnowskie Góry, Poland; KRS: 350151 (District Court in Gliwice, 10th Commercial Division), NIP: 5213540295, licensed as a National Payment Institution (Polish FSA register: IP52/2021) (“QUICKO”).

2) Personal data we process

• Identification and contact data submitted to QUICKO during onboarding (KYC/AML) when activating QUICKO financial services.
• Technical and usage data for the website/app (Savio): device identifiers, OS, IP address, logs, location data (if enabled), cookies and similar technologies.
• Communications data: emails/chats with support, service tickets.
• Financial data (QUICKO as controller): account numbers, transactions and metadata, tokenised card data, balances, payment orders.

We do not create independent “Savio accounts” for operating payment services; access to financial features requires a relationship with QUICKO.

3) Purposes and legal bases (GDPR)

• Performance of a contract for access to the app/website (Savio) – maintaining and improving the interface, communications and support (Art. 6(1)(b)).
• Provision of payment services (QUICKO) – onboarding, account/card services, transfers; and legal obligations incl. AML (Art. 6(1)(b)/(c)).
• Legitimate interests (Savio/QUICKO) – security, fraud prevention, claims handling, aggregated analytics and product improvement (Art. 6(1)(f)).
• Consent – marketing, push notifications, location data, analytics/marketing cookies (Art. 6(1)(a)).

4) Sources of data

We obtain data directly from you. In regulated processes, data are collected by QUICKO via the Savio app (Savio acts as QUICKO’s processor).

5) Data recipients

We share data only where necessary and lawful: QUICKO (for regulated services), IT/cloud/hosting/analytics/communications providers, KYC/AML and anti‑fraud partners (for QUICKO), payment schemes/processors, legal and audit advisors, public authorities and courts where legally required.

6) International transfers

Where data are transferred outside the EEA, we use Standard Contractual Clauses (SCCs) and appropriate safeguards. Details are available on request.

7) Retention periods

• Website/app operational data (Savio): retained while you use the service and as needed for security/claims (generally up to 6 years).
• KYC/AML and financial data (QUICKO): generally 5–10 years after the relationship ends, as required by law.
• Marketing data based on consent: until consent is withdrawn or you object.

8) Automated decisions and profiling

QUICKO may use automated risk assessments (AML/anti‑fraud/limits). Where a decision produces legal or similarly significant effects, you have the right to human intervention and to contest the decision.

9) Regulatory requirements (KYC/AML) – QUICKO

You may be required to provide identity verification (document + liveness), PEP/sanctions checks, source of funds, and (for businesses) beneficial ownership information. Refusal may prevent QUICKO from providing services.

10) Your rights

You have rights under GDPR: access, rectification, erasure, restriction, portability (where based on consent/contract and processed by automated means), objection to processing based on legitimate interests, and withdrawal of consent. You can lodge a complaint with a supervisory authority (see 11).

11) Supervisory authorities

• Savio: Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
• QUICKO: President of the Polish Personal Data Protection Office (PUODO).

12) Data security

We apply appropriate technical and organisational measures: encryption, access control, pseudonymisation, event logging, security testing, DPIA, minimisation and retention controls.

13) Cookies and similar technologies

• Strictly necessary – core operation of the site/app (Art. 6(1)(f)).
• Analytics – measurement/diagnostics (Art. 6(1)(a) – consent).
• Marketing – personalisation/remarketing (Art. 6(1)(a) – consent).

Details are set out in the Cookie Policy; manage your preferences via the banner or in‑app settings.

14) Contact and DPO

Savio Payment OÜ – website/app, support, marketing: [privacy@savio.money], Vesivärava tn 50-310, 10152 Tallinn, Estonia.

Quicko Sp. z o.o. – financial services (accounts, transfers, cards, KYC/AML): [privacy@quicko], ul. Sienkiewicza 49, 42-600 Tarnowskie Góry, Poland.

Data Protection Officer (if appointed): [dpo@savio.money] / [dpo@quicko].

15) Processors

We use IT/cloud/hosting/communications/analytics providers and, for QUICKO, KYC/AML and anti‑fraud partners. We conclude Art. 28 GDPR processing agreements with all processors.

16) Changes to this Policy

We may update this Policy to reflect legal or functional changes. Material updates will be announced in the app/website.

17) Deleting access and closing services

Savio does not operate separate financial accounts. You may request deletion of operational and communications data processed by Savio. Closing accounts/cards is handled by QUICKO under its procedures [INSERT YOUR STEPS HERE].