- Personal Data
“Personal Data” means any information that may be used to identify you as an individual, directly or indirectly. Such information includes your personal name, identification number, location data, and any information found online that may reveal your physical, genetic, mental, economic, cultural or social identity.
1.2. Information about the Deceased
Personal Data requires a person to have legal capacity, meaning they can exercise their rights, give consent and enter into agreements. Legal capacity begins at birth and is lost upon death. Therefore, in this Policy, any information related to the deceased person is not seen as Personal Data and is excluded from its meaning.
Nevertheless, we will ensure that your personal data collected from you during your life is kept securely and safely with us after your death. We will not share or disclose it in any manner that is not defined in this Policy or not otherwise permitted by the GDPR. Treatment of personal data after death of the data subject differs in regards to the national laws on personal data in each EU Member State: here you may learn about how personal data of deceased person may be treated in your Member State of residence and what options may be available to you and your trusted persons after your death.
1.3. Controller of your Personal Data
As defined in the GDPR, Prifinance is the Controller of your personal data. It means that we determine what information we collect, how and why we collect it, how it is shared and disclosed and what means we use to process this information.
1.4. Processing of your Personal Data
We use specific vendors and partners that are responsible for processing your personal information. For more specific information, please check out Section 8 to learn of how your data is processed, what vendors we use for processing your personal data and what countries we may send your data to for processing.
- Information We Collect
To provide our Services and offer our Products, we must collect information about you.
- Information that You Provide
This category includes content and information that you provide when you use our Services and Products. Prifinance will never ask you to submit any information related to your racial or ethnic origin, sex life or sexual orientation, political opinions, philosophical or religious beliefs, biometric or genetic data and trade union membership.
- Service Provision
When you make an inquiry to enter into service agreement with us, we may ask for your contact information, including your full name, personal address, e-mail address and phone number. In addition, in order to further verify your identity for the purposes of compliance measures imposed by us under the relevant legislative acts, such as Anti-Money Laundering and Terrorism Financing Prevention Act of Republic of Estonia, we may collect the following personal information from you:
- Formal identification information, such as identity documents issued by the competent governmant authorities in the country of your domicile and/or birth, e.g. passport, national ID card, residence permit and right of residence cards, driver’s license, birth certificate, visa information, and other relevant identification documents necessary to determine your identity and comply with our obligations under the AML and anti-financial crime laws and regulations;
- Financial information, such as bank account details, payment card information, transaction history, trading data, tax information, and other relevant information.
- Information about your business, such as formal certificate of incorporation issued by the competent authorities of te country of incorporation of your business, extracts from the commercial registries, tax and/or VAT number and information, Articles and/ or Memorandum of Association, Certificates of Incumbency, personal identification information about all ultimate beneficial owners (hereinafter: the “UBOs”), shareholders and management board members, information about the origina dn source of funds, etc.
- Employment information, such as the job title, location of the employer’s officer and/or job description.
If you contact us directly, we may ask some additional information from you, such as your name, e-mail address, personal address, phone number and other personal information. If you communicate with us, we will always state the reasons why we need this information from you.
- Payment Information
Payment for our Services may be executed via one of the desired payment methods that concern third-party payment processors. We store your information about your financial accounts for the purposes of business continuity, including the continuous provision of our Services to you, conducting accounting and complying with the regulatory requirements under RahaPTS. It is also referred to the payment processor.
- Cookie Files
Cookies are small pieces of text sent by your web browser by a website you visit. Cookies may store user preferences and other information. Cookies provide a convenience feature to save you time or tell the Web server that you have returned to a specific page. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.
Cookies can be “persistent” or “session” cookies. Persistent cookies remain on your personal computer or mobile device when you go offline, while session cookies are deleted as soon as you close your web browser.
Cookies set by us are called “first party cookies”. Cookies set by parties other than the website owner are called “third party cookies”. Third party cookies enable third party features or functionality to be provided on or through the website.
You may learn more about cookies and their use at http://www.aboutcookies.org/ and http://www.allaboutcookies.org/.
- Log Files
We use log files to store information gathered from your use of our Services. We use this information to enhance the functionalities of the website, acquiring detailed information about traffic to optimize the website performance and improve the overall quality of provision of our Services. The information stored in log files may include Internet Protocol (IP) addresses, browser type, operation system (OS), Internet Service Provider (ISP), referring/exit pages, landing pages, time and date stamps and clickstream data. Please note that this information may be considered Personal Data under certain circumstances in accordance with the relevant provisions of the GDPR.
- Information from Partners and Third Parties
Our partners that have been authorized by us to provide our Services may provide your Personal Data to us. In this case, the information forwarded to us is collected by our partners and shared with us. We require our partners to have lawful rights to collect, use and share your Personal Data before disclosing it to us. Such Partners and third parties include but are not limited to the following sources:
- Public Databases, Identity Verification Partners and Credit Institutions: we gather information from the above-mentioned Partners to varify your identity as per the applicable laws and regulations. Identify verification involves collecting such personal information as your name, address, employment information, credit history, affiliation with any restricted, sanctioned or prohibited groups and associations, determined as such by relevant legal acts, as well as other relevant data. Particularly, we are obliged to collect and store such information as per our obligations under the Anti-Money Laundering and Terrorism Financing Prevention Act of Republic of Estonia (Rahapesu ja terrorismi rahastamise tõkestamise seadus, hereinafter: “RahaPTS”), aimed at monitoring, detecting and preventing acts related to money laundering, terrorism financing and other financial crimes.
- Blockchain Data: we collect publicly available blockchain data to detect and prevent illegal activities, including those defined in RahaPTS, as well as to determine current blockchain trends as well as tailor our Services to the needs of our perspective customers and the constantly changing market.
- Marketing Partners, Advertisers and Analytics Partners: we may collect personal data from such partners and third parties for the purposes of conducting reseach about how you use and interact with our website, Services and Products, as well as to understand what Services and Products may be of interest to you.
- Anonymized Data
As defined by the GDPR, anonymization is a technique that alters personal information to the point when it may no longer be directly linked to a particular individual and such an individual may not be identified, directly or indirectly, from such data.
Prifinance may employ amonymized data for the purposes of conducting research about quality of our Services, understanding customer needs and demands, conduct marketing, detect and prevent security vulnerabilities and braches, and other relevant business purposes.
- How We Use Information
We use information we collect in various ways, including the following:
- Providing, operating and maintaining our Services in a manner consistent with the principles of fairness, trasparency, efficiency, and genuinity;
- Detecting and preventing fraudulent acts associated with the use of our Services, including those occuring as a result of fraud and abuse of our Services;
- Ensuring compliance with the relevant laws and regulations to prevent anti-money laundering, terrorism financing, fraud and other financial crimes;
- Complying with the anti-financial crime regimes and obligations, regulated and imposed by the competent authorities of Republic of Estonia, such as the Financial Inspection (Finantsinspektsioon, or the “FI”) and the Financial Intelligence Unit (Rahapesu andmebüroo, or the “FIU”);
- Communicating with you, including direct means or through our partners, to perform customer support activities, to inform you of the changes and updates related to the Services, to notify you of important information related to the Services and for marketing and promotion;
- Sending you e-mails, including notification e-mails, reminders and confirmations;
- Improving the quality of our Services;
- Conducting research and development related to our Services to develop new features and functionalities and introduce new products and services;
- Performing measurement and analytics activities to learn how our users interact with our Services and understand our users’ behaviour and preferences;
- Promoting safety, security and integrity of your funds, our Services and data.
- How We Share This Information
We may share the information we collect in various ways and third parties.
5.1. Vendors and Service providers
We provide information we collect to vendors and services providers that help us keep our business running. Such vendors include (but are not limited to) payment platforms, web and mobile analytics services, advertisers, partners in IT such as hosting and software providers as well as sales and marketing products.
5.1.1. Non-EU/EEA Vendors
Please kindly note that some of our service providers are located outside of the EU/EEA area. For further information on how your data is handled when sharing it with third parties outside of the EU/EEA, please see Section 11 of this Policy.
5.2. Financial Institutions
5.3. Identity Verification Services
To ensure you see the ads that may be of interest to you, we work with third-party advertising partners. These partners may receive information from us to personalize ads to fit your interests. They may also collect information about you and use it in accordance with their own privacy notes. We never sell your information to advertisers. Additionally, we make sure advertisers we choose are compliant with the GDPR and manage your information accordingly.
5.5. Partners that Work with Us
Due to the nature of our business, we communicate and establish business connections with various partners in the field of banking, legal services, compliance, accounting, and other relevant fields. We may provide your information to them to ensure uninterrupted, accurate, and integral provision of our Services and commence activities that help us maintain our business activities.
5.6. Law Enforcement and Compliance
In some circumstances, we may need to disclose your personal information in accordance with the law and current regulations to law enforcement authorities, government officials or other relevant third parties. It may be necessary in the case of court proceedings, complying with a legal order or other legal process, as well as for the purposes of financial crime, money laundering and terrorism financing prevention, if we have strong grounds to believe any natural or legal person to be involved in or associated with the said forms of crime.
5.7. Business Transfers
In cases of insolvency, bankruptcy, acquisition, transfer of ownership, sale of assets or succession of Prifinance, your personal information may be disclosed to the new owner, acquirer or successor of the company or other relevant third parties.
- How We Secure This Information
At Prifinance, we understand the importsnace of keeping your personal information in a secure and integral manner, as any breach of personal data may lead to detrimental consequences to you and your funds. Therefore, we employ various physical, technical and administrative safeguards to ensure intergrity, security and confidentiality of your personal data.
Your personal information is secured with the help of Transport Layer Security (TLS) protocol that is designed to protect and secure your information from unauthorized access and breaches of privacy. TLS protocol is mainly used for encrypting the information exchanged between our website and servers. We also use TLS to encrypt all the e-mails and messages exchanged with us. We use the latest and the most secure version of TLS (v 1.3) to date and make sure to update is if a more secure and reliable version is released in the future.
In addition, your personal information is stored by us in an encrypted manner. Such encrypted data is stored and maintainted with the use of our relevant service providers that help us maintaint physical, technical, electronic and administrative safeguards. Please note that some of such vendors may be located outside of the EU/EEA zone: to learn more about how your personal data is collected, stored, handled and processed by such vendors, please read Section 11 of this Policy.
At the same time, even with all the seciruty and safety measures imposed by us at all times, we cannot guarantee that your data may not be breached, accessed without authorization or otherwise tainted and leaked. We ask you to kindly acknowledge that a great part in data security lies with you, and it is important to treat your personal data with diligence, attentiveness, and care. It is strongly recommended to check for the safety of your connection (which can be accessed by clicking a lock sign next to the URL field of your browser) to make sure you do not submit your personal information to fraudulent and compromised versions of our website, developed and maintained by unauthorized persons with malicious intent.
Should you become aware of any attempt to misuse your personal information by the above-mentioned or any other malicious means, or should you believe your personal information is not stored, handled and maintained securely by us, please notify us immediately at firstname.lastname@example.org.
- Retention of Personal Information
Your personal information is stored securely for as long as your business relationship with us lasts. We will only store and retain your personal information for the period necessary to fulfill purposes for which it is collected. Retention periods may vary in regards to the type of personal information and purposes for which it was collected, such as indicated below:
- Personal information related to our legal obligations to comply with anti-financial crime and anti-money laundering laws and regulation, including RahaPTS, may be stored for as long as it is required by such laws;
- Contact information for marketing purposes is retained for as long as we have your consent and is deleted immediately after you recall your consent;
- Telephone call records and other correspondence with us may be kept for a period of up to five years;
- Information collected via technical means is retained for a period of up to one year.
- Legal Basis and Legitimate Interests
Our legal basis to collect, use and share your personal data varies depending on the context. The following are the situations in which we perform processing:
- When we have your consent, meaning you have read our data processing purposes and have agreed to them by giving your consent; such as in cases that include but are not limited to being subject to our marketing notifications and campaigns and granting your consent to use your personal information to enhance your experience of useing our website and Services;
- When we need to perform a contract with you, meaning that your information is necessary to process and finalize your order or comply with the terms of any other contact we have entered into with you; to enforce the terms of this Policy and other agreements; to provide our Services; to provide customer service and support, to ensure quality of our Services and communications;
- When we have a legal obligation to comply with, meaning that data disclosure is necessary to comply with the legal requirements set by law or legal order;
- When we have a legitimate interest, meaning that we process your personal data to operate and provide our Services, improve our Products, ensure proper security and prevent illegal activities and handling of your data. We only have legitimate interest when it does not override your fundamental rights.
- Rights of the Data Subject
As a data subject, you have certain rights provided by the GDPR that you may invoke.
9.1. Access, Update, Correct or Erase Your Information
You have the right to request the above to be done with your information. You may do so at any time by e-mailing us at email@example.com.
9.2. Objecting to and Restricting Processing of Information
You may also exercise these rights at any moment by contacting us at firstname.lastname@example.org.
9.3. Data Portability
If you wish to receive all the personal information we collected from you to then provide it to another controller, you may do so by contacting us at email@example.com.
9.4. Opt-Out of Marketing Messages
You have the right to opt-out of marketing messages at any moment. This can be done by clicking the ‘unsubscribe’ option in the marketing e-mails from us. You may also contact us at firstname.lastname@example.org and we will unsubscribe you.
9.5. Withdraw Your Consent
You may withdraw your consent for processing your personal information at any moment. Please note that lawfulness of consent before withdrawal will not be affected.
9.6. Complaining to a Data Protection Authority (DPA)
You have the right to complain to the DPA of your country of residence about collecting and processing of your personal information by us. The list of the DPA representatives, their webpages and contact information is available here.
- Automated Processing and Decision-Making
We may employ automated tools to determine fraud or financial crime risks associated with any Order, Trade, Transation or Customer. However, we do not perform any decision-making based on means of fully automated processing, or automated processing that relies solely on decisions and conlcusions generated by the machines and the line of code and does not involve any human control, assessment and/or intervention. Similarly, we do not employ any algorithmic and automated systems to make decisions that have serious life-affecting consequences, except for the cases laid down by relevant data protection provisions.
- International Transfer of Data
We strive to enhance the security of personal information you are entrusting us with. Therefore, we opt for the most secure and diligent data processors to do the task. Some of such processors are located overseas outside of the EU/EEA area in countries that have different regulations on personal information. However, our partners follow the requirements and safeguards of the GDPR when receiving and handling your personal information that we share with them.
For transfers of information to and from processors located in the UK, the European Commission adequacy decision has been adopted, meaning that data may flow freely from the EU/EEA to the UK and back since the EU considers the data protection regime in the UK essentially equivalent to the regime of the GDPR.
For transfers of information into the EU from other countries covered by the European Commission adequacy decisions, such as Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay, we are required to comply with the local legal requirements and regulations on transfers of personal data, therefore we make sure the specific arrangements are being followed when receiving data from any of the aforementioned countries.
For transfers of information to processors located in the US, we no longer rely on processors that are certified under the EU-US Privacy Shield Framework because it has been invalidated in 2020 by the decision of the European Court of Justice. Instead, we make sure our international processors have adopted Standard Contractual Clauses for data protection.
- Children’s Privacy
We do not knowingly collect and process any personal information from children under 13 years of age. Please note that for any collection and processing of personal information of a child under 13, we require explicit consent from the child’s legal representative, such as a parent or a guardian.
If you suspect that a child under 13 has provided us with their personal information without explicit consent, please contact us at email@example.com.
- Changes to the Policy
We may modify this Policy from time to time to adapt it to the changing regulations and new developments. Changes will be posted on our Website. Additionally, we will notify you of changes via e-mail.
- Contact information
If you have any questions or concerns regarding this Policy, your personal data rights and how to invoke them, or any other question about your personal information, please feel free to contact us at firstname.lastname@example.org.