• how and when we collect your personal data, and what information we collect;
• how and why we use your personal data; and
• your rights to control your personal data.
2. What is personal data and how, when and what personal information do we collect and process?
2.1. Personal data
Personal data is any information we have on a user which allows the user to be identified, either directly or indirectly. Under the General Data Protection Regulation (EU) 2016/679 we have the obligation to inform you about data processing activities which are conducted by us using the personal data we have collected or generated.
If you engage with us in any way, we may collect the following information about you through the methods of contact you choose to use at the point of engagement:
• information you provide through our website and through our application and verification processes;
• information you provide through communications with us, whether in writing (including by letter, email or chat) or on the telephone (including by way of recorded calls);
• information we obtain through your engagement with us on social media, including on blogs, forums and through Facebook; and
To provide our services, we need to collect the following information about you through the above mentioned channels:
• information to identify and contact you (such as name, date of birth, email address, telephone number, postal address);
• information concerning your transactions and other activities on our website (details of payments, applications, agreements and other data concerning the use of the services provided by us);
• information concerning the use of the user account (login and password details, IP address and other data concerning the use of the account);
• registered communication between you and us (such as recommendations, comments, requests, inquiries, either submitted through the portal, using e-mail address or via phone).
We also collect and retain:
• copies of our correspondence with you as well as other data we collect relating to your activities on our website and in relation to your engagement with IUVO;
• details about visitors to our website for the purposes of aggregating statistics or reporting purposes; and
• comments made on blogs and discussion forums in connection with IUVO.
2.2. Processing of personal data
Processing of personal data means any operation which is performed using the personal data, including but not limited to collecting, recording, retention, arrangement, use, amending, delivering, disclosure and deleting of your personal data by the portal operator IUVO. Whether automated or not, all above mentioned activities are deemed as processing of your personal data.
The controller of the processing of the personal data is the portal operator IUVO Group OÜ. Our data protection officer is M. Handzhiyska, you may find the contact details of our data protection officer below. We only process data submitted to us by you, generated by us via the portal or, if required by the applicable laws, collected by us from various third-party sources.
• Information collected and processed in order to identify or contact a user
We collect information which allows us to identify you to fulfil our regulatory obligations and to provide our services. We may collect information from various reliable and independent sources, whether public or private, to verify the information you have submitted to us.
To sign up at our website, we ask for your first name and surname, date of birth, residence and/or location, a copy of your identification document (only if necessary) and information about communication means to contact the user (phone, e-mail, etc).
As we provide our services in various jurisdictions, we might ask for the communication language preferred by you out of the languages we offer for the website or for general communication to provide you a better customer experience.
• Bank account information, information about payments
If you make investments via our crowdfunding system, we need information about your bank account. All payments to and from your virtual account opened with at our web-site portal are possible to be made only to and from the bank account you have provided to us. For further information, please see section “Virtual Account and adding funds” in the user terms.
We collect information about the transactions you have made through your virtual account of our platform as well as information concerning servicing of a loan a user has been granted via the crowdfunding system.
• User’s portal usage data
While you are using our services, you create metadata in connection with your activities on our website. The information that is being collected by the platform consists of log-in data, beginning and end of registration in the portal, etc. What is more, we have information about the agreements you have entered into via the portal.
• Information collected from external third-party sources
We might have personal data collected from various private or public sources solely for fulfilling the legal obligations of the portal operator under the applicable laws (incl. via media and Internet). Most of all, this means collecting information on you so that we would be able to fulfil our anti-money laundering requirements or to assess your creditworthiness if you have been applying for loan intermediation via the portal. The sources for such information may vary and cannot be fully determined. This information, which often contains personal data, includes:
• information and reports from credit reference agencies, fraud prevention agencies, insolvency practitioners, debt advisers and tracing agents;
• commercial databases and marketing databases; and
• public records and other publicly available information sources.
2.3. The purpose of processing personal data
We process data for the performance of agreements entered into by you which we are obliged to maintain as well as for compliance with legal obligations we are subject to.
We mainly process the personal data of you and other users in connection with the agreements concluded via the portal by and between the users and the assignors. We are responsible for assisting the users in concluding the agreements as well as for the maintenance of the claims deriving from the agreements. Some specific requirements from the applicable laws may require us to perform data processing activities from which we may not refrain. When it comes to consumer credit intermediated via the portal, then under the applicable laws we are responsible for the assessment of creditworthiness of the potential borrower or fulfil other tasks prescribed in the applicable laws.
We collect, store and use your personal data:
• to inform you for developments and changes to our products and services;
• to develop and improve our services, products and business, including analyzing and improving our credit risk models and our customer service offering;
• if you are a borrower:
o to ascertain your borrowing needs;
o to assess your creditworthiness and to make credit-related decisions; and
o if you miss any repayment of your loan, to trace your whereabouts and recover debts or enforce a loan contract and to verify any payment plan you have proposed or income and expenditure form you have submitted;
• to transfer money;
• to carry out mandatory or other regulatory checks;
• to comply with our legal and regulatory obligations;
• to carry out statistical analysis and market research and testing;
• We may want to use your contact details for sending you news and marketing materials. To enable us to deliver you information about our products and related promotional materials and/or notices, also the products and/or promotional materials and/or notices of the persons belonging to the same group with us or our third-party cooperation partners, we have asked for your prior consent. You may renew your consents any time while using our services. This does not concern notices and materials sent to you as part of our obligations under the User terms in connection with the agreements you have entered into
• to open accounts on our web-site with us and to manage and maintain those accounts;
• to verify your identity and the other information you have provided to us, including your bank account information;
• to update the records we hold about you from time to time;
• for the prevention and detection of fraud or other illegal or criminal activity – Anti-money laundering rules oblige us to hand over information about some specific information to the financial intelligence unit, a special unit of the Estonian Police and Border Guard Board. In some cases, we are not allowed to inform you about such exchange of information;
2.4. General principles of processing of personal data
IUVO processes user’s personal data fairly, in a manner and to the extent provided for by the applicable legislation.
IUVO and its employees apply all diligence and security measures required by the law when processing user’s personal data to ensure that it is only done for a purpose and to protect user’s personal data against inadvertent or unauthorised use, disclosure or destruction.
IUVO enables access to the user’s personal data only to
• its employees with whom a non-disclosure agreement is concluded;
• a third person, who processes the data on behalf of the portal operator, with whom a non-disclosure agreement is concluded.
We exclude access of an unauthorised third persons to user’s personal data and from our database containing such data.
Your personal data connected to the agreements concluded by you via our portal will be stored as long as required by applicable laws. The general principle is that any document is stored for 7 years from the termination of such contract. Any documents collected for the identification and verification of you as well as for the fulfilment of any other anti-money laundering requirements, are to be stored for 5 years after the termination of our business relationship. Some personal data may be deleted sooner if deemed unnecessary or if required by the user, unless deleting such data is in conflict with any of our obligations under the applicable laws.
In case you are using our services to apply for consumer credit, we may combine the data you provide us and the data we collect ourselves to analyse you creditworthiness.
2.5. Transfer and disclosure of personal data
We may transfer your personal data in accordance with the user terms and the applicable law, to:
• Credit institutions for identification of the user, if needed;
• Persons whose economic or professional activity includes provision of service of collection of debts and other related services for collection of contractual debt(s) of the user, if the user has borrowed funds via our crowdfunding system and has outstanding debt;
• Other users to facilitate the conclusion and performance of agreements between the users, if needed;
• Persons to whom the portal operator is obliged to transfer user’s personal data based on the law;
• Person providing the accounting services to the portal operator, also the persons providing legal assistance in connection with agreements entered into with or between the users.
We may transfer user’s personal data to the third persons in any other case for the fulfilment of our legal or contractual obligations, to protect your vital interests or our legitimate interests only when it does not contradict the law.
The personal data of our users is not transferred to any third persons outside the European Union.
If the user has separately given such consent to the portal operator, the portal operator is entitled to transfer user’s personal data (primarily the user’s name and e-mail address) to the persons to who the portal operator has assigned a duty to market and promote portal operator’s products to the user.
In case a user who has borrowed funds via our crowdfunding system has debt(s) from the agreement(s) entered into by the user as a borrower via the portal, the portal operator is entitled to disclose user’s personal data (primarily the name, personal identification code/business ID, amount of debt) in a manner, by procedure and via channels not prohibited by the law, as necessary and foreseeable to the debtor for the fulfilment of the obligations of such user.
3. Rights and obligations of the users and the IUVO portal in connection with processing of the personal data
3.1. Your rights in relation to the processing of your personal data
Right to information:
You are entitled at any time to demand from us:
• information about whether data relating to you are being processed, information for the purposes of such processing, the categories of data, and the recipients or categories of recipients to whom the data is disclosed;
• receiving a message in a structured, commonly used and machine-readable format containing your personal data being processed by us, as well as any available information about your personal data’s source;
For that, you must submit a relevant application to us via your account or via e-mail (in this case the application should be signed with electronic signature). We will provide you the information requested in such application as soon as possible but not later than within a month from receiving the application. Under anti-money laundering regulations, we are entitled and obliged to refrain from transferring you certain information about the usage of your personal data. To the extent not restricted by law, we will provide you the following information:
If your personal data which is processed by us is incomplete and you have informed us of that, we have the obligation to complete it if you have provided us relevant information for that. If the incorrect information is no longer necessary for us regarding the data processing purposes, such data will be erased.
Right of correction:
In case we handle incomplete or erroneous/ erroneous data, you are entitled at any time to obtain from us without undue delay the rectification of inaccurate personal data concerning him or her:
• to delete, correct, or block your personal data, the processing of which does not meet the requirements of the law;
• to notify third parties to whom personal information has been disclosed of any erasure, correction or blocking.
Right of objection to the processing of your personal data:
You may at any time:
• object to the processing of your personal data if there is a legitimate reason for doing so. Where the objection is justified, the personal data of the individual concerned can no longer be processed;
• object to the processing of your personal data for the purposes of direct marketing if previously you have submitted your consent for that processing.
Right to restriction of processing*:
You may request a restriction of the processing if:
• the accuracy of your personal data is contested by you, for a period enabling us to verify the accuracy of your personal data; or
• the processing of your data is unlawful but instead of deleting it, you want their limited processing; or
• we no longer need these data (for the intended purpose), but you need them for the establishment, exercise or protection of legal claims; or
• You have objected to processing your data pending the verification whether our legitimate grounds override yours as a data subject
Right of Data portability *:
You have the right to receive your personal data, which you has provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where:
• the processed by us your personal data is based on consent that may be withdrawn at any time or a contractual obligation and
• the processing is carried out by automated means
Right to erasure (‘right to be forgotten’)
You are entitled to demand from us erasure of your personal data and/or termination of the processing of your personal data by us without undue delay, and we are obliged without undue delay to erase your personal data without undue delay where one of the following grounds applies:
• your personal data is no longer needed for the purposes for which it was collected or otherwise processed;
• You have withdrawn your consent on which the processing of the data is based and there is no other legal basis for the processing;
• You believe that personal data has been processed unlawfully.
Keep in mind that there may be other reasons to prevent the immediate erasure of your data, such as statutory storage obligations, pending proceedings, establishment, exercise or defense of court claims, etc.
3.2. We trust that the information provided by you is correct, valid and complete.
Each user is obliged to inform us immediately about the changes in their personal data, also about incorrectness or invalidity of personal data by delivering the portal operator also the correct and valid personal data to replace the incorrect and/or invalid ones.
4. Right to file Complaints
If you find that the way we have been processing your personal data has violated your rights in any way, you may submit a complaint to the Estonian Data Protection Inspectorate.
5. Contact Us in relation to personal data processing
In case of further questions concerning data processing activities or requests considering your rights, please address them to [email protected] or alternatively you can write to us at Narva mnt 5, Tallinn City, Harju county, 10117, Republic of Estonia. Please be sure to mark all correspondence for the attention of our Data Protection Officer Maria Handzhiyska, so that we can get back to you quickly.
6. About IUVO
The IUVO portal is operated by IUVO GROUP OŰ, commercial registry code 14063375, address of management: Narva mnt 5, Tallinn City, Harju county, 10117, Republic of Estonia, + 372 880 7011, [email protected]
IUVO GROUP OŰ is a regulated credit intermediary by the Estonian Financial Supervision Authority.
We monitor our procedures concerning data processing at least once per year. Should we find any information provided for in this policy invalid or inaccurate, we will make amendments accordingly.
Any changes made to this policy will be made available on this webpage and you will be informed via e-mail.