Privacy Policy

 

  1. Purpose of this Document 1.1 This privacy policy outlines how we collect and utilize your personal information in accordance with applicable data protection laws.

1.2 We recognize the importance of your data and the associated risks. We are committed to safeguarding the privacy and security of your personal information.

1.3 As a data controller, we are responsible for determining how your personal information is stored and used. To comply with data protection laws and best practices, we are obligated to inform you about the details provided in this privacy policy.

1.4 This policy explains your rights under data protection laws and our commitment to treating your data appropriately. We reserve the right to update this policy as needed.

1.5 It is important that you read this policy, along with any other privacy notices we may provide on specific occasions when we collect or process your personal information. This will help you understand how and why we use such information.

  1. Data Protection Principles We adhere to applicable data protection laws and strive to meet the highest standards. This means that the personal information we hold about you must be:

2.1 Used lawfully, fairly, and transparently.

2.2 Collected only for valid purposes that we have clearly explained and not used in a manner inconsistent with those purposes.

2.3 Relevant to the purposes we have disclosed and limited to those purposes.

2.4 Accurate and kept up to date.

2.5 Retained only for as long as necessary for the disclosed purposes.

2.6 Kept secure.

  1. Types of Information We Collect 3.1 Personal data or personal information refers to any information that can identify an individual. It does not include anonymized data where identities have been removed.

3.2 There are «special categories» of more sensitive personal data that require a higher level of protection, as described in paragraph 10.

3.3 We may collect, store, and use the following categories of personal information:

3.3.1 Full name.

3.3.2 Date of birth.

3.3.3 Place of birth.

3.3.4 Passport information, including number, date of issuance, and expiry.

3.3.5 Email address.

3.3.6 Phone number.

3.3.7 Full residential address.

  1. Collection of Personal Information 4.1 We collect personal information from you when you complete our application form.

  2. Use of Your Information 5.1 We will only use your personal information when permitted by law. The most common circumstances in which we use your personal information include:

5.1.1 Performance of a contract we have entered into with you.

5.1.2 Compliance with a legal obligation.

5.1.3 Pursuit of our legitimate interests (or those of a third party) as long as they do not override your interests and fundamental rights.

5.1.4 Verification of information provided for the application process.

5.1.5 Completion and submission of the application.

5.2 In rare situations, we may use your personal information in the following cases:

5.2.1 Protection of your interests or someone else’s interests.

5.2.2 Necessity in the public interest.

  1. Use of Your Personal Information 6.1 We require all categories of information mentioned in paragraph 4 primarily to fulfill our contract with you and to comply with legal obligations. In some cases, we may use your personal information to pursue our legitimate interests or those of third parties, provided they do not override your interests and fundamental rights.

6.2 There may be overlapping grounds for processing your personal information, and multiple justifications may apply.

6.3 The situations in which we will process your personal information are listed in Schedule 1, together with the purpose or purposes for which we are processing or will process your personal information.

Failure to Provide Personal Information

7.1 If you fail to provide certain requested information, it may hinder our ability to fulfill our contractual obligations to you, such as processing a transaction on your behalf. It may also prevent us from complying with our legal obligations, such as ensuring compliance with anti-money laundering legislation by properly identifying you.

Change of Purpose
8.1 We will only use your personal information for the purposes for which we collected it, unless we reasonably determine that we need to use it for another purpose that is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will inform you and explain the legal basis that allows us to do so.

8.2 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, when it is required or permitted by law.

Use of Sensitive Personal Information
9.1 «Special categories» of sensitive personal information require a higher level of protection. We must have additional justification for collecting, storing, and using this type of personal information. We may process special categories of personal information under the following circumstances:
9.1.1 With your explicit written consent as part of the application process to fulfill our contractual obligations with you.

9.1.2 When we need to fulfill our legal obligations.

9.2 Less commonly, we may process this type of information when it is necessary for legal claims or to protect your interests (or someone else’s interests) and you are unable to provide consent, or when you have already made the information public. We may also process such information about you as part of legitimate business activities, with appropriate safeguards in place.

Do We Need Your Consent?
We do not require your consent if we use your personal information to fulfill our legal obligations or exercise specific rights under the law. In limited circumstances, we may seek your written consent to process certain particularly sensitive data. If we do so, we will provide you with full details of the information we require and the reason we need it, enabling you to carefully consider whether you wish to provide consent. Please note that agreeing to any consent requests from us is not a condition of your contract with us.

Automated Decision-Making
11.1 Automated decision-making refers to decisions made by an electronic system without human intervention, using personal information. We may use automated decision-making in the following situations:
11.1.1 If we have informed you about the decision and provided you with a 21-day period to request a reconsideration.

11.1.2 When it is necessary to fulfill our contractual obligations to you, and we have implemented appropriate measures to protect your rights.

11.1.3 In limited circumstances, with your explicit written consent and with appropriate measures in place to protect your rights.

11.2 If we make an automated decision based on particularly sensitive personal information, we must either have your explicit written consent or justify it based on public interest. Additionally, we must have appropriate measures in place to safeguard your rights.

11.3 We will not subject you to decisions that significantly impact you solely based on automated decision-making, unless we have a lawful basis for doing so and have notified you accordingly.

11.4 While we do not currently anticipate making decisions about you using automated means, we will inform you in writing if this situation changes.

Data Sharing
12.1 We may need to share your data with third parties, including third-party service providers.
12.2 We require third parties to treat your data securely and handle it in accordance with applicable laws.

12.3 It is possible that we may transfer your personal information outside the European Union (EU).

12.4 If such transfers occur, we will ensure that an equivalent level of protection is provided for your personal information.

12.5 Why Might We Share Your Personal Information with Third Parties?

We may share your personal information with third parties in situations where it is required by law, necessary to manage our relationship with you, or when we have a legitimate interest in doing so. This may involve sharing your information with:

12.5.1 Third-party service providers who assist us in operating our business.

12.5.2 Credit card companies and direct debit operators.

If there are changes to our organization’s structure or proposed changes, we may share your data with third parties in order to sell, merge, or transfer aspects of our business or to merge with/acquire other businesses. This will only occur if those parties agree to maintain your data to the same standards we have set for data protection. Following such a change, other parties may handle your data in accordance with these standards.

12.6 Which Third-Party Service Providers Process My Personal Information?

«Third parties» refers to third-party service providers, including contractors and designated agents. The following activities are carried out by third-party service providers:

a. Credit card companies and direct debit operators process the payment information you have provided to us.

12.7 How Secure Is My Information with Third-Party Service Providers?

All our third-party service providers are required to implement appropriate security measures to protect your personal information in line with our policies. We do not permit our third-party service providers to use your personal data for their own purposes. They are only authorized to process your personal data for specific purposes and in accordance with our instructions.

12.8 Transferring Information Outside the EU

We may transfer the personal information we collect about you to the following countries outside the European Union:

12.8.1 Estonia.

To fulfill our contractual obligations to you, we may transfer your data to Estonia. Please note that not all of these countries have received an adequacy decision from the European Commission, which means that some countries may not provide an adequate level of protection for your personal information.

However, we have implemented binding contract clauses in accordance with international standards to ensure that your personal information is treated by these third parties in a manner consistent with applicable data protection laws and respects your rights. If you require more information about these protective measures, please contact the Head of Data Protection.

13 Data Security
13.1 We have implemented measures to safeguard the security of your information. If you would like more details about these measures, please request them.

13.2 Third parties will only process your personal information under our instructions and are required to maintain confidentiality and security.

13.3 We have established appropriate security measures to prevent unauthorized access, use, alteration, or disclosure of your personal information. We limit access to your personal information to employees, agents, contractors, and other third parties who have a legitimate business need to know. They will process your personal information solely based on our instructions and are bound by a duty of confidentiality. For more information on these measures, please contact the Head of Data Protection.

13.4 We have procedures in place to address suspected data security breaches. If required by law, we will notify you and the relevant regulatory authorities of any suspected breaches.

14 Data Retention
14.1 We will retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements. The retention period is determined based on factors such as the amount, nature, and sensitivity of the personal data, the potential risk of unauthorized use or disclosure, the purposes of processing, the availability of alternative means to achieve those purposes, and applicable legal requirements. Generally, for application information verification and applications, we will retain your information indefinitely or for as long as necessary for the application and verification process.

14.2 In certain circumstances, we may anonymize your personal information so that it can no longer be associated with you, and we may use such information without further notice.

14.3 All information from incomplete applications that do not result in payment will be deleted within 48 hours.

14.4 If you have any questions regarding data retention, please contact our Data Protection Officer.

15 Marketing
We may use your personal information to inform you about our products and services that we believe may be of interest to you. Before doing so, we may use your personal information to better understand your needs or preferences regarding services or products.

If you wish to stop receiving marketing communications from us, you can request it, and we will honor your choice. You can also change your preference at any time.

16 Cookies
We utilize «cookies» on our website, which are small pieces of data that enable us to track visits to our website and gather related information.

17 Rights of Access, Correction, Erasure, and Restriction
17.1 Keeping us informed of changes

To ensure the accuracy and currency of the personal information we hold about you, please inform us of any changes during your relationship with us.

17.2 Your rights concerning personal information

Under certain circumstances, you have the right, as provided by law, to:

17.2.1 Request access to your personal information, commonly known as a «data subject access request.» This allows you to receive a copy of the personal information we hold about you and verify its lawfulness of processing.

17.2.2 Request correction of your personal information if it is incomplete or inaccurate.

17.2.3 You have the right to request the deletion or removal of your personal information if there is no valid reason for us to continue processing it. You can also request the deletion or removal of your personal information if you have exercised your right to object to the processing (see below).

17.2.4 You can object to the processing of your personal information when we rely on a legitimate interest (or that of a third party), and there is something about your specific situation that makes you want to object to the processing. You also have the right to object if we are processing your personal information for direct marketing purposes.

17.2.5 You can request the restriction of processing your personal information, which allows you to ask us to suspend the processing of your personal information. For example, if you want us to verify its accuracy or the reason for processing it.

17.2.6 You can request the transfer of your personal information to another party.

17.3 If you wish to review, verify, correct, request the erasure of your personal information, object to the processing of your personal data, or request the transfer of your personal information to another party, please contact the Head of Data Protection in writing.

17.4 Usually, there is no fee required

You will not be charged a fee to access your personal information or to exercise any of the other rights mentioned above. However, if your request for access is clearly unfounded or excessive, we may charge a reasonable fee or refuse to comply with the request in such circumstances.

17.5 Information we may need from you

We may need specific information from you to verify your identity and ensure your right to access the information (or exercise any other rights). This is another security measure to prevent the disclosure of personal information to unauthorized individuals.

18 Right to withdraw consent In situations where you have provided consent for the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Officer. Once we receive notification of your withdrawal, we will no longer process your information for the purpose(s) you originally agreed to, unless we have another legitimate basis for doing so under the law.

19 Changes to this privacy notice We reserve the right to update this privacy notice at any time. When significant updates are made, we will provide you with a new privacy notice. We may also inform you of any processing changes related to your personal information through other means from time to time.

We store personal data in digital format on secure cloud servers and systems hosted in the European Union (EU) and Estonia. For data stored on servers located in the US, we rely on the Privacy Shield Framework to transfer this information. Access to personal data is strictly limited internally for approved business purposes only. Any personal data processed in paper form is securely filed at our office location in Estonia.