Privacy Policy
Date: | 28.04.2023 |
Version: | 1.0 |
1. General terms
Indemo, SIA, registration number 40203401432, registered under the laws of the Republic of Latvia, with its legal address: Mazā Nometņu iela 10 – 2, Riga, LV-1002, Latvia, the investment firm authorised by Latvijas Banka (the Central Bank of Latvia), (hereinafter – Indemo), has developed this Privacy Policy to inform persons visiting and registering on Indemo website www.indemo.eu (hereinafter – Platform) as its users, including representative of the users, if the user is a legal entity (hereinafter – User) and who use the services provided by Indemo via the Platform (hereinafter – Services), on the collection, use and transfer of their personal data to third parties.
If you have any questions regarding the Privacy Policy of Indemo or if you wish to obtain additional information on how to exercise the rights specified herein, you can contact Indemo in writing via email: [email protected].
Indemo strives to ensure appropriate technical and organisational measures to protect the Users’ data and to provide transparent data protection rules. This Privacy Policy outlines the data processing activities carried out by Indemo with respect to Users who are natural persons.
The personal data processing activities carried out by Indemo can be described not only in this Privacy Policy but also in the Terms and Conditions of Indemo Investment Platform (hereinafter – Agreement), the Cookies Policy and the Cookies section of the Privacy Policy.
2. Categories of the User’s personal data
Indemo processes several categories of the User’s personal data from the User and other third parties:
- identification data such as - the User’s first name and surname, gender, date of birth, place of birth, personal identity number, place of tax residence, tax ID, information from an identity document, a photograph of the User's profile and a video recording of the verification session;
- contact data such as - the User’s residence address or address for communication purposes, postal address, email address and phone number, the language of communication;
- financial data such as – monthly income and other regular or irregular income, financial liabilities, source or origin of income (for funds), data about transactions, property, bank account details;
- occupation (or employment) data such as – data about existing or previous employer, occupation, position grade, area of work, working experience, education;
- correspondence records such as - the User’s communication with Indemo through the Platform, via email or by phone, or other tools which could be introduced, as well as information from surveys;
- location data such as – IP address, login place, and transaction place;
- family data such as marital status, dependents or family members;
- special category data (data about criminal convictions, legal capacity (in special cases));
- Other data:
a) data concerning the applicability of any sanctions, including data regarding any relevant
business dealings or activities, including any adverse media coverage that is available;
b) risk profiling, classification and other information gained from risk assessment-based activities;
c) information on the purpose and intended nature of the business relationship and investment
objectives;
d) information on the User's knowledge and experience in investment services;
e) Transaction data, including the User’s invested funds, investments, transactions, incoming
payments, claimed disbursements of money, information regarding the concluded assignment
agreements, net annual return, selected currency, available funds, and accountancy accounts;
f) data about the participation in companies and other types of legal entities, data about managers
and other persons having decisive votes or representatives of the companies using or intending to use Services, as well as their ultimate beneficiary owners’ information and contact details of the representatives of the companies using or intending to use the Services;
g) voice and/or video recording data such as phone voice recordings;
Indemo does not process sensitive data related to the User’s health, ethnicity, religious or political beliefs unless required by law or in specific circumstances where the User reveals such data while using the Services, for example.
3. Legal basis and purposes of processing personal data
Indemo must have a legal basis for using the User’s personal data. The legal basis is the following:
3.1. Performance of agreements
Indemo must have specific personal data to provide the Services, and it cannot provide them without the User’s personal data.
Examples of purposes for processing include:
- to take steps at the request of the User prior to entering into an agreement, as well as to conclude, execute and terminate an agreement with the User;
- for managing client relations, providing, and administering access to the Services;
- to authorise and control access to the Services.
3.2. Legal obligations
To fulfil legal obligations under applicable regulations, Indemo is required to process the User’s data in accordance with regulatory and data protection legislation.
Examples of purposes for processing are:
- before the User may use the Services on the Platform and Indemo website and during the cooperation with the User under the Agreement, Indemo performs the due diligence of the User to verify the User’s identity and to keep the User’s data updated and correct by verifying and enriching data through external and internal registers;
- to prevent, discover, investigate and report money laundering, and terrorist financing;
- to comply with rules and regulations related to tax information exchange and risk management.
3.3. Legitimate interests
Indemo collects and uses the User’s personal data or shares it with other organisations. Examples of purposes for processing are:
- to provide the User with additional services, such as creating personalised offers;
- to manage the relationships with the User;
- to develop, examine and improve Indemo business, Services and User experience by
performing surveys, analyses, and statistics;
- to protect the interests of the User and/or Indemo or its employees;
- to prevent, limit and investigate any misuse or unlawful use or disturbance of the services;
- to ensure adequate provisions of the Services, the safety of information within the Services, as
well as to improve, develop and maintain technical systems and IT infrastructure;
- to exercise and defend legal claims and to handle complaints.
3.4. Consent
If the User signs up for Indemo Services, and where allowed by law, Indemo may contact the User by post, email and SMS text message with information about Indemo and its products, services, offers and promotions. Indemo may use the personal data it has collected about the User in order to tailor Indemo offers to the User.
Indemo will not pass the User’s details on to any organisations outside Indemo for their marketing purposes without the User’s permission.
4. Manners of information collection
To ensure the provision of information and the Services, as well as to fulfil the obligations under applicable law, Indemo collects information about the User in the following ways:
4.1. Directly from you as User or potential User:
- Providing an opportunity to fill out an application form on Platform;
- By means of online communication by phone, email or other communication channels or
technical tools.
4.2. In an automated way from you as User or potential User:
- Technical information that may contain the IP address, device data, software data and similar data;
- Social network information and content that may contain identification and social account data;
- Cookies (for more information, please see the Indemo Cookies policy).
4.3. About you as the User from third parties:
- Publicly available resources (social networks, social media, public registers);
- Veriff and ComplyAdvantage databases, fraud-prevention agencies or other databases;
- Cooperation partners and affiliated companies of Indemo.
Indemo has the right to collect other information in any other case not mentioned above when the User has given consent or any other legal basis exists for collecting the necessary information.
5. Transfer of information to third parties
As part of Indemo processing, Indemo may share the User data with recipients such as authorities, suppliers, payment service providers and business partners. Indemo will not disclose more of the User’s personal data than is necessary for the purpose of disclosure and with respect to regulatory and data protection enactments.
Recipients may process the User's personal data by acting as data processors or controllers. Indemo undertakes to guarantee appropriate technical and organisational security measures to ensure that the personal data processor upholds security standards that are not lower than the security standards set by Indemo.
Indemo discloses personal data to recipients such as:
- authorities, such as law enforcement agencies, bailiffs, notaries, tax authorities, supervisory authorities and Financial Intelligence Unit and any other authorised person, including administrators, which are involved in any restructuring process of the Lending Companies;
- third party, who is taking debt collection steps to recover debt from the User (such as debt collectors, lawyers, court bailiffs, insolvency administrators, etc.),
- credit and financial institutions, correspondent banks, custodian banks, insurance providers and intermediaries of services, third parties participating in the trade execution, settlement and reporting cycle;
- financial and legal consultants, auditors or any other data processors of Indemo insofar as such information is necessary for the performance of functions delegated to them;
- providers of databases and registers, e.g. credit registers, population registers, commercial registers, securities registers, or other registers holding or intermediating the User’s data, debt collectors and bankruptcy, bailiffs, notaries or insolvency administrators.
6. Geographical area of processing
Indemo and our cooperation partners mainly process the User’s personal data within the European Union/ European Economic Area (hereinafter – EU/ EEA), but in some cases, personal data is transferred to and processed in countries outside the EU/EEA. The transfer and Processing of Personal Data outside the EU/EEA can take place provided there is a legal basis and one of the following conditions:
- the country outside the EU/EEA, where the recipient is located, has an adequate level of data protection as decided by the EU Commission;
- the controller or processor has provided appropriate safeguards, for example, the EU Standard Contractual Clauses or other authorised contractual clauses, approved codes of conduct or certification mechanisms;
- there are derogations for specific situations applicable, for example, the User’s explicit consent, the performance of a contract with the User, conclusion or performance of a contract concluded in the interest of the User, establishment, exercise or defence of legal claims, significant reasons of public interest. Upon request, the User can receive further details on his/ her data transfers to countries outside the EU/EEA.
7. Profiling and Automated decisions about the User
Profiling is the segmentation of a User by evaluating the personal aspects relating to a natural person in order to apply a relevant service model or tailored marketing offers or perform a risk assessment for anti-money laundering purposes.
Depending on Indemo products or services the User uses, Indemo may make automated decisions about the User.
This means that Indemo may use technology that can evaluate the User’s personal circumstances and other factors to predict risks or outcomes. Indemo does this for the efficient running of our services and to ensure decisions are fair, consistent and based on the correct information.
Indemo uses profiling to prepare analyses for direct marketing purposes; profiling supports automated decision-making such as risk management and transaction monitoring to counter fraud, including an automated collection of data from databases and making preliminary assessments and conclusions about whether the User is eligible for Indemo Services, considering the relevant laws and regulations that apply to Indemo and our internal procedures.
8. Where and how Indemo stores your information
The data that Indemo collects from the User is transferred to and stored at a destination inside the EEA. Indemo undertakes to do everything necessary, as far as possible, to protect the User's data in case of sending and receiving, offering to upload documents in a secure way.
The access to the User's personal information within Indemo is limited to only those employees who have a good business reason to access or know this information. This is achieved through both technical solutions and physical access rights, as well as proper training and education of Indemo employees who have built appropriate safeguards.
9. Length of retention of information
All User-related information, including information that is stored in the User's Profile/ Investment Account and all communications with Indemo, is stored as evidence confirming the identity of the User, the conclusion of the Agreement, transactions made and fulfilment of the Agreement, and, is kept until the fulfilment of the Agreement, the data is no longer necessary to provide Services, the data storage timeframe or limitation period for legal proceedings established by the laws and regulations of the Republic of Latvia expires.
Indemo will generally keep the User's personal data for 10 (ten) years after Indemo's business relationship with the User ends, in accordance with the Agreement or for such period as may be required by applicable local laws. The personal data must be retained for at least 5 (five) years according to the Law on Prevention of Money Laundering and Terrorist and Proliferation Financing. The personal data is retained for another 5 (five) years based on the legal interests of Indemo according to the ordinary limitation period of a potential or ongoing court claim or another legal reason.
10. User rights related to personal data
Indemo respects User’s rights to access, manage and control the personal data that Indemo processes. Once Indemo receives a request from the User to exercise any of the rights listed below, Indemo will review the User’s request and provide a response without undue delay and, in any event, within one month of receipt of the request. According to the data protection legislation, this time period may be extended if the User’s request is complex or if, due to the number of received requests, Indemo cannot prepare a reply within the previously set time limit. In this case, Indemo informs the User about the extension of the time limit for preparing a reply to the User’s request and indicates the specific term for preparing a reply.
If the User wishes to exercise any of the rights listed below, they can submit a request in one of the following ways:
- By email to [email protected];
- By signed request to Mazā Nometņu iela 10 – 2, Riga, LV-1002, Latvia
Indemo reserves the right to request additional information from the User in order to verify the identity of the person, who has sent the request, and to protect the User’s data from being disclosed to unauthorised persons, as well as to request a signed request with secure e-signature or with handwritten signature for verification and security purposes. If the User or Indemo has terminated the Agreement and is not able to identify the data subject via User’s Profile, Indemo has the right to request identification of the person before any personal data disclosure based on such request.
The User has the right to access the personal data free of charge. However, if the User’s requests are manifestly unfounded or excessive, Indemo retains the right to charge a reasonable fee or to refuse to act on the request.
11. User’s specific rights
11.1. Right of access
The User is entitled to receive information on whether or not Indemo processes the User’s personal data.
The User has the right to obtain the following information:
- purposes of the processing;
- categories of personal data being processed;
- personal data recipients or categories of such recipients;
- length of time the data will be stored;
- User’s rights in connection to the data processing;
- available information on the data source (if the personal data was not obtained from the User);
- existence of automated decision-making.
11.2. Right to rectification, to the extent possible
The User is entitled to request Indemo to rectify the User’s inaccurate or incorrect personal data, but not all data may be rectified. Indemo will need to verify that the amended data is true and accurate.
11.3. Right to erasure, to the extent possible
The User is entitled to request Indemo to erase the User’s data. This right can be exercised if one of the following grounds apply:
- purposes of the processing have been reached;
- personal data are no longer necessary in relation to the purposes for which they were collected
or otherwise processed;
- The user withdraws the given consent;
- User objects to the processing;
- personal data has been unlawfully processed;
- personal data must be erased for compliance with a legal obligation.
Indemo reserves the right to reject the request to erase the User’s personal data if there is a legitimate legal ground.
11.4. Right to the restriction of processing
The User is entitled to request Indemo to restrict the processing if one of the following grounds applies:
- the User contests the accuracy of the personal data for a period that enables Indemo to verify the accuracy of the personal data;
- processing is unlawful, and the User requests restriction as opposed to the erasure of the personal data;
- Indemo no longer needs the User’s personal data, but the personal data is necessary for the User to establish, exercise or defend legal claims.
Upon restricting the processing of the User’s personal data, Indemo will only process the User’s personal data after receiving consent from the User or for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person, or reasons of important public interest.
11.5. Right to object to the processing of personal data
The User is entitled to object to personal data processing activities concerning direct marketing.
11.6. Right to data portability, to the extent possible
The User is entitled to request Indemo to receive and transfer the User’s personal data to the User or another data controller. The User can exercise this right insofar as the data has been provided by the User based on consent or a contract and the processing is carried out by automated means.
11.7. Right to withdraw consent
The User is entitled to withdraw previously given consent at any time. However, this will not affect the lawfulness of any processing carried out before the User withdraws his/ her/ its consent. This right applies to receiving commercial notices and overviews from Indemo.
11.8. Right to submit a complaint to the national personal data protection authority
In case of any uncertainty related to the User's personal data, the User is welcome to contact Indemo, and the User will be provided with an answer or to find a solution for his/ her/ its issue. However, if the User believes Indemo cannot find the solution, the User is entitled to submit a complaint to the national personal data protection authority in Latvia regarding data processing activities conducted by Indemo.
The contact information of the national personal data protection authority of the Republic of Latvia: Data State Inspectorate, Elijas iela 17, Rīga, LV-1050, webpage: www.dvi.gov.lv
11.9. Right to contact Indemo and obtain additional information on the processing of personal data
The User is entitled to contact Indemo at any time and obtain additional information regarding personal data processing activities.
12. Indemo is keeping the User's personal data safe and secure
Indemo works diligently to protect the User’s personal data and:
- employs several physical and electronic safeguards to keep the User’s information safe;
- stores all its data on servers in secure facilities, and implements systematic processes and
procedures for securing and storing data;
- limits access to User’s personal data to only those employees with authorised access who need
to know the information in order to perform their work duties;
- requires third parties who perform services for Indemo to agree to keep the User’s personal
data confidential;
- continues to protect personal data after the Agreement termination;
- provides its employees with the necessary training for data protection and security purposes.
13. Cookies
Indemo uses cookies to analyse how the User uses Indemo website. Please read the Indemo Cookies Policy for more information about cookies.
14. Changes in the Privacy Policy
Indemo has the right to make changes to the Privacy Policy at any time by posting them on the Platform. Any version of the Privacy Policy that is published on the Platform replaces all previous versions of the Policy and takes effect immediately upon posting or from the effective date as indicated.