With respect to the FAQ's requested to explain our services and relevant data protection concerns to your End-user, Lean's relationship with an End-user is separate from and does not affect Client’s relationship with its customer, or the End-user's existing relationship with their bank. Accordingly, Client is required to manage its own data privacy obligations (such as informing its customers about how it processes and stores their data) by way of a separate privacy policy. Lean informs End-users of the type of information we collect and process as part of the provision of the Lean Services as well as their rights in our privacy policy found here which is accessible to an End-user via the SDK when connecting with Lean or via our website.
Notwithstanding the above, we have compiled a couple of relevant FAQ's that Client could potentially share with its End-users as follows:
- What is Lean and what services do they provide?
Lean is an Open Banking service provider that enables fintech innovators like Client to seamlessly connect your bank accounts to initiate payments and/or retrieve account details, balance, and transaction history, always with your permissioned consent.
- Is Lean regulated?
Yes, Lean is regulated in the jurisdictions in which it operates. Lean is authorised and regulated by the Financial Services Regulatory Authority (FSRA) to operate in and from the Abu Dhabi Global Market (ADGM) in the UAE to provide account information services and to initiate payments.
Lean is also the first Permitted Fintech authorised and regulated by the Saudi Central Bank to operate in Saudi Arabia. Similarly to the ADGM’s regulatory framework, this authorisation permits Lean to aggregate data and to initiate payments on behalf of its Clients, such as PEMO.
- Is Lean safe?
When Lean initiates a payment on your behalf, it only does so with your consent and it does not take custody of any funds - it simply relies on your instruction to initiate the payment. Where Lean retrieves account data, this depends on the permissions requested when connecting to your account.
- How does Lean manage its data protection requirements?
In the UAE, Lean abides by the data protection requirements specified under the ADGM Data Protection Regulations 2021 (as amended from time to time). In KSA, Lean currently abides by the data protection requirements as stipulated by the Saudi Central Bank as well as the Personal Data Protection Law and accompanying regulations which are due to come into force in 2023.
- Can Lean access personal data of users in a form that links it back to that user in an identifiable form? Is the information stored anonymously?
Details of how Lean collects, processes and stores your personal data can be found in their Privacy Policy, accessible here. Lean will only ever access your personal data as a Client user with your consent. Upon receiving your consent, your personal data is collected and transmitted to Client and stored by Lean in an encrypted and anonymised way, only for as long as is strictly necessary in order for Lean to provide services and to comply with its regulatory obligations.
- How will this information be used by Lean in the future? Is Lean planning to sell this information or profit from the use of such data?
No, Lean does not market or sell personal data of any End-user (i.e a Client user like you).
- If a user decides to delete their account, does Lean also confirm that they will delete the user’s data from their database?
In line with applicable Data Protection Law, all End-user's have the right to request that Lean erases their personal data in certain circumstances. Provided Lean does not have a legal obligation or legitimate reason to store that personal data, Lean will action the request, as is required. This is commonly referred to as the "Right to be Forgotten" under international privacy standards.