• how and when we collect your personal data, and what information we collect;
• how and why we use your personal data; and
• your rights to control your personal data.
2. What is personal data and how, when and what personal information do we collect and process?
2.1. Personal data
Personal data is any information we have on a user which allows the user to be identified, either directly or indirectly. Under the EU General Data Protection Regulation 2016/679 (hereinafter referred to as the GDPR), we have the obligation to inform you about data processing activities which are conducted by us using the personal data we have collected or generated.
If you engage with us in any way, we may collect the following information about you through the methods of contact you choose to use at the point of engagement:
|Full name, Personal Identification number, ID card details or details from another official document, nationality, address (current and permanent), occupation, date of birth, e-mail, telephone number, information from a utility bill.||
• Registration as User of the Portal;
• Identification and verification under the Money Laundering and Terrorist Financing Prevention Act (hereinafter referred to as the MLTFPA) and European regulations;
• Entering into agreement for provision of services;
• Provision of requested service;
• Fulfilment of obligations under the concluded agreement and services;
• Answering inquiries, questions and complaints
|Conclusion and/or performance of an agreement (GDPR Art 6(1)(b) Statutory obligation (GDPR Art 6(1)(c)|
|Username, login and password details, IP address||Use of the registered User account||Conclusion and/or performance of an agreement (GDPR Art 6(1)(b)|
|ID Card electronic copy, electronic copy of a utility bill||Identification under the MLTFPA and European regulations||Statutory obligation (GDPR Art 6(1)(c)|
|Personal data, collected for the purpose of PEPs /politically exposed person/ screening – public functions, job position, political opinions and membership, personal data about family member of a person performing prominent public functions||Due diligence and risk assessment/ risk appetite under the MLTFPA and European regulations; identification for the purposes of entering into an agreement for provision of services;||Statutory obligation (GDPR Art 6(1)(c); Obligation under an agreement (GDPR Art 6(1)(b)|
|Field of professional activity, Qualification level, Annual income||Identification under the MLTFPA and European regulations||Statutory obligation (GDPR Art 6(1)(c)|
|Information relevant to money transactions||
• Details about the payment instrument used – card number (PAN), date of issue and date of expiry, IBAN, currency;
• Information about electronic banking and details about performed transactions – amount of transaction, time and place of transaction
|Fulfilment of the obligations under agreement (GDPR Art 6(1)(b)|
• Offering products and services of IUVO;
• Sending advertising messages
|Consent (GDPR Art 6(1)(a)|
|Corporate E-mail||Identification for the purposes of entering into an agreement for provision of services and confirmation of the conditions for participation in program under general terms („Colleagues“)||Obligation under an agreement (GDPR Art 6(1)(b)|
|Telephone number||Making calls and sending short text messages /SMS/ offering assistance and advertising messages||Consent (GDPR Art 6(1)(a)|
|Corporate telephone number||Identification for the purposes of entering into an agreement for provision of services and confirmation of the conditions for participation in program under general terms („Colleagues“)||Obligation under an agreement (GDPR Art 6(1)(b)|
|Unique identification code in e-Check system||Identification for the purposes of entering into an agreement for provision of services and confirmation of the conditions for participation in program under general terms („Colleagues“)||Obligation under an agreement (GDPR Art 6(1)(b)|
|First name and family name, e-mail address||Confirmation of consent as a Referred person||Consent (GDPR Art 6(1)(a)|
|Voice-recorded over telephone conversation||
• Performance of services by IUVO, guaranting consumers’ rights under applicable laws and proof of conversation’s topic;
• Improvement of customer service
|IUVO’s legitimate interest to deliver its services on appropriate level (GDPR Art 6(1)(f). Considering that you are notified of the recording and have other ways to contact us (e.g., e-mail), also that it is also in your interest that services provided to you meet your expectations, we believe such legitimate interest is not overridden by your other interests or fundamental rights and freedoms.|
|Three names, telephone number, e-mail address and other personal data provided by the data subjects in connection with a request, appeal and / or complaint, recommendations, comments, through a chat or at the Company’s email address: [email protected], by telephone or on a hard copy to the address of the Company.||Answering inquiries, questions and complaints; data subject requests||Depending on the content of the communication: Statutory obligation (GDPR Art 6(1)(c); Conclusion and/or performance of an agreement (GDPR Art 6(1)(b); Consent (GDPR Art 6(1)(a)|
When the processing of your personal data is based on our legitimate interest, you have at any time the right to object to such processing (see more in Section 3 below).
We also collect and retain for fulfillment of statutory obligations:
• copies of our correspondence with you as well as other data we collect relating to your activities on our website and in relation to your engagement with IUVO;
• details about visitors to our website for the purposes of aggregating statistics or reporting purposes; and
• comments made on blogs and discussion forums in connection with IUVO.
2.2. Processing of personal data
Processing of personal data means any operation which is performed using the personal data, including but not limited to collecting, recording, retention, arrangement, use, amending, delivering, disclosure and deleting of your personal data by the portal operator IUVO. Whether automated or not, all above mentioned activities are deemed as processing of your personal data.
The controller of the processing of the personal data is the portal operator IUVO Group OÜ. Our data protection officer is M. Handzhiyska, you may find the contact details of our data protection officer below. We only process data submitted to us by you, generated by us via the portal or, if required by the applicable laws, collected by us from various third-party sources (including public databases such as the Business Register).
• Information collected and processed in order to identify or contact a user
We collect information which allows us to identify you to fulfil our regulatory obligations and to provide our services. We may collect information from various reliable and independent sources, whether public or private, to verify the information you have submitted to us (see more below under “Information collected from external third-party sources”).
To sign up at our website, we ask for your first name and surname, date of birth, residence and/or location, a copy of your identification document (only if necessary) and information about communication means to contact the user (phone, e-mail, etc).
As we provide our services in various jurisdictions, we might ask for the communication language preferred by you out of the languages we offer for the website or for general communication to provide you a better customer experience.
• Bank account information, information about payments
If you make investments via our crowdfunding system, we need information about your bank account. All payments to and from your virtual account opened at our web-site portal are possible to be made only to and from the bank account you have provided to us. For further information, please see section “Virtual Account and adding funds” in the user terms.
We collect information about the transactions you have made through your virtual account of our platform as well as information concerning servicing of a loan a user has been granted via the crowdfunding system.
• User’s portal usage data
While you are using our services, you create metadata in connection with your activities on our website. The information that is being collected by the platform consists of log-in data, beginning and end of registration in the portal, etc. What is more, we have information about the agreements you have entered into via the portal.
• Information collected from external third-party sources
We might have personal data collected from various private or public sources solely for fulfilling the legal obligations of the portal operator under the applicable laws (incl. via media and Internet). Most of all, this means collecting information on you so that we would be able to fulfil our anti-money laundering requirements or to assess your creditworthiness if you have been applying for loan intermediation via the portal. The sources for such information may vary and cannot be fully determined. This information, which often contains personal data, includes:
• information and reports from credit reference agencies, fraud prevention agencies, insolvency practitioners, debt advisers and tracing agents;
• commercial databases and marketing databases; and
• public records and other publicly available information sources.
2.3. The purpose of processing personal data
We mostly process data for the conclusion or performance of agreements entered into by you which we are obliged to maintain, as well as for compliance with legal obligations we are subject to. Some of our data processing activities are also related to our legitimate business interests (e.g., collecting data in order to improve the provision of our services or sending you marketing messages if you have consented thereto).
We mainly process the personal data of you and other users in connection with the agreements concluded via the portal by and between the users and the assignors. We are responsible for assisting the users in concluding the agreements as well as for the maintenance of the claims deriving from the agreements. Some specific requirements from the applicable laws may require us to perform data processing activities from which we may not refrain. When it comes to consumer credit intermediated via the portal, then under the applicable laws we are responsible for the assessment of creditworthiness of the potential borrower or fulfil other tasks prescribed in the applicable laws.
We collect, store and use your personal data:
• to inform you for developments and changes to our products and services;
• to develop and improve our services, products and business, including analyzing and improving our credit risk models and our customer service offering;
• if you are a borrower:
o to send your information to the relevant financial institutions and creditors;
o to ascertain your borrowing needs;
o to assess your creditworthiness and to make credit-related decisions; and
o if you miss any repayment of your loan, to trace your whereabouts and recover debts or enforce a loan contract and to verify any payment plan you have proposed or income and expenditure form you have submitted;
• to transfer money;
• to carry out mandatory or other regulatory checks;
• to comply with our legal and regulatory obligations;
• to carry out statistical analysis and market research and testing;
• We may want to use your contact details for sending you news and marketing materials. To enable us to deliver you information about our products and related promotional materials and/or notices, also the products and/or promotional materials and/or notices of the persons belonging to the same group with us or our third-party cooperation partners, we have asked for your prior consent. You may renew your consents any time while using our services. This does not concern notices and materials sent to you as part of our obligations under the User terms in connection with the agreements you have entered into
• to open accounts on our web-site with us and to manage and maintain those accounts;
• to verify your identity and the other information you have provided to us, including your bank account information;
• to update the records we hold about you from time to time;
• for the prevention and detection of fraud or other illegal or criminal activity – Anti-money laundering rules oblige us to hand over information about some specific information to the financial intelligence unit, a special unit of the Estonian Police and Border Guard Board. In some cases, we are not allowed to inform you about such exchange of information;
In addition to the above mentioned we may collect and process personal information for the purposes of identification when You participate in some of our programs. As a company which is part of Management Financial Group Holding, we may need to share it with other companies in the Holding for that purposes. This processing is in accordance with the applicable legislation.
When You participate in the Refer-a-friend program as a Referred person in Your capacity of a natural person we collect and process Your personal data – first name and family name and Your e-mail address. The described personal data has been given to us by a Referring person (Your friend) with confirmation given to us by him/her that You have given Your consent to receive an e-mail from us with an option to confirm Your consent and take the next steps to register in the IUVO platform as an Investor or to demand from us erasure of your personal data and/or termination of the processing of your personal data. If You don’t confirm Your consent and/or You don’t take any steps to register in the IUVO platform as an Investor, we will process Your personal data (name, family name and email) for 2 months from date the Referring person has given the described above personal data to us.
2.4. General principles of processing of personal data and retention periods thereof
IUVO processes user’s personal data fairly, in a manner and to the extent provided for by the applicable legislation.
IUVO and its employees apply all diligence and security measures required by the law when processing user’s personal data to ensure that it is only done for a specified purpose and to protect user’s personal data against inadvertent or unauthorised use, disclosure or destruction.
IUVO enables access to the user’s personal data only to
• its employees with whom a non-disclosure agreement is concluded;
• a third person, who processes the data on behalf of the portal operator, with whom a non-disclosure agreement is concluded (see further Section 2.5 below).
We exclude access of an unauthorised third persons to user’s personal data and from our database containing such data.
Your personal data connected to the agreements concluded by you via our portal will be stored as long as required by applicable laws. The general principle is that any document is stored for 7 years from the termination of the service contract. Any documents collected for the identification and verification of you including any personal data collected in relation to the establishing a business relationship with you as well as for the fulfilment of any other anti-money laundering requirements, are to be stored for 5 years after the termination of our business relationship. Personal data related to the any activities or facts the characteristics of which refer to the use of criminal proceeds or terrorist financing or to the commission of related offences or an attempt thereof will be stored for 5 years after making the transaction or performing IUVO’s duty to report the FIU of unusual transactions or documents that IUVO has discovered during the business relationship with you. Personal data collected during correspondence with you and IUVO in the absence of any contractual relations will be retained for 3 years as of the engagement in communication. Any and all types of personal data not outlined above will be retained until the end of statute of limitations, unless legal acts set forth any different direct obligation to retain your personal data for a different term.
Some personal data may be deleted sooner if deemed unnecessary or if required by the user, unless deleting such data is in conflict with any of our obligations under the applicable laws.
2.5. Transfer and disclosure of personal data
We may transfer your personal data in accordance with the user terms and the applicable law, to:
• Financial institutions /creditors/ for identification of the user, if needed;
• Persons whose economic or professional activity includes provision of service of collection of debts and other related services for collection of contractual debt(s) of the user, if the user has borrowed funds via our crowdfunding system and has outstanding debt;
• Other users to facilitate the conclusion and performance of agreements between the users, if needed;
• Persons to whom the portal operator is obliged to transfer user’s personal data based on the law;
• Person providing the accounting services to the portal operator, also the persons providing legal assistance in connection with agreements entered into with or between the users.
We may transfer user’s personal data to the third persons in any other case for the fulfilment of our legal or contractual obligations, to protect your vital interests or our legitimate interests only when it does not contradict the law.
In general, all recipients to whom IUVO transfers your personal data to are located in European Union and European Economic Area. When it is necessary to transfer your personal data to a third country or an international organisation outside the European Economic Area, IUVO will provide appropriate safeguards and transfer the personal data (i) to countries where the European Commission considers the level of data protection to be adequate (see HERE), (ii) under explicit agreement with standard data protection clauses (standard terms approved by the European Commission available HERE and used by IUVO depending on the circumstances of data transfer), or (iii) under other instruments allowed under the applicable law, on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
If the user has separately given such consent to IUVO, IUVO is entitled to transfer user’s personal data (primarily the user’s name and e-mail address) to the persons to who the portal operator has assigned a duty to market and promote portal operator’s products to the user.
In case a user who has borrowed funds via our crowdfunding system has debt(s) from the agreement(s) entered into by the user as a borrower via the portal, IUVO is entitled to disclose user’s personal data (primarily the name, personal identification code/business ID, amount of debt) in a manner, by procedure and via channels not prohibited by the law, as necessary and foreseeable to the debtor for the fulfilment of the obligations of such user.
3. Rights and obligations of the users and the IUVO portal in connection with processing of the personal data
3.1. You have the following rights in relation to the processing of your personal data. Note however that not all those rights are absolute and may be restricted on the grounds provided in the GDPR.
Right to information:
You are entitled at any time to demand from us:
• information about whether data relating to you are being processed and the details thereof; and
• copy of your personal data processed by us;
to receive a message in a structured, commonly used and machine-readable format containing your personal data processed by us, as well as any available information about the source of your personal data.
Where the processing of your personal data relies on our legitimate interest, you are entitled to ask us further information about the balancing test carried out by IUVO.
For that, you must submit a relevant application to us via your account or via e-mail (in this case, the application should be signed with electronic signature). Note that we will only provide you the information if we have properly identified you. We will provide you the information requested as soon as possible but not later than within a month from receiving the application. Under anti-money laundering regulations, we are entitled and obliged to refrain from transferring to you certain information about the usage of your personal data. To the extent not restricted by law, we will provide you the requested information.
Right of correction:
In case we handle incomplete or erroneous data , you are entitled at any time to obtain from us without undue delay the rectification of inaccurate personal data concerning you.
Right of objection to the processing of your personal data:
You may at any time object to the processing of your personal data if the processing is based on our or a third party’s legitimate interest. In such case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the data is necessary for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.
Right to restriction of processing:
You may request a restriction of the processing if:
• the accuracy of your personal data is contested by you, for a period enabling us to verify the accuracy of your personal data; or
• the processing of your data is unlawful but instead of deleting it, you want their limited processing; or
• we no longer need these data (for the intended purpose), but you need them for the establishment, exercise or protection of legal claims; or
• You have objected to processing your data pending the verification whether our legitimate grounds override yours as a data subject
Right to withdraw your consent:
Right of Data portability:
You have the right to receive your personal data, which you has provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where:
• the processing of that personal data is based on your consent or on a contract; and
• the processing is carried out by automated means
Right to erasure (‘right to be forgotten’)
You are entitled to demand from us erasure of your personal data and/or termination of the processing of your personal data by us where one of the following grounds applies:
• your personal data is no longer needed for the purposes for which it was collected or otherwise processed;
• you have withdrawn your consent on which the processing of the data is based and there is no other legal basis for the processing;
• you believe your personal data has been processed unlawfully.
Keep in mind that there may be other reasons to prevent the immediate erasure of your data, such as statutory storage obligations, pending proceedings, establishment, exercise or defence of legal claims, etc.
3.2. We trust that the information provided by you is correct, valid and complete. Each user is obliged to inform us immediately about the changes in their personal data and also about incorrectness or invalidity of personal data by providing us the correct and valid personal data to replace the incorrect and/or invalid one.
4. Contact Us in relation to personal data processing
In order to exercise your rights as mentioned above, please fill in and send to us this FORM by e-mail to [email protected]
In case of further questions or complaints concerning our data processing activities, please address them to [email protected] Alternatively, you can write to us at Narva mnt 5, Tallinn 10117, Republic of Estonia. Please be sure to mark all correspondence for the attention of our Data Protection Officer M. Handzhiyska, so that we can get back to you quickly.
If you find that the way we have been processing your personal data has violated your rights in any way, you may submit a complaint to the Estonian Data Protection Inspectorate or the supervisory authority of the country of your habitual residence or place of work in the EU.
6. About IUVO
The IUVO portal is operated by and your personal data is processed by IUVO GROUP OŰ, commercial registry code: 14063375, address of management: Narva mnt 5, Tallinn 10117, Republic of Estonia, telephone: + 372 880 7011, e-mail: [email protected]
IUVO GROUP OŰ is a regulated credit intermediary by the Estonian Financial Supervision Authority.
We monitor our procedures concerning data processing at least once per year. Should we find any information provided in this policy invalid or inaccurate, we will make amendments accordingly.
Any changes made to this policy will be made available on this webpage and if we have your e-mail address, you will also be informed about any material changes via e-mail.