Version 1.0 June 2021
1. Purpose and Scope
IBANERA is a brand name of Phoenix Payments, UAB (also referred to as “we”, “us”, “IBANERA”, “Company”). Phoenix Payments, UAB is an electronic money institution licensed by the Bank of Lithuania (license No. LB000477), incorporated and existing in the Republic of Lithuania, company’s code 304920426, having its registered office at J. Basanavičiaus st. 31-6, LT-03109, Vilnius, Lithuania.
- Account or IBANERA account has the meaning of the account created to the Client by IBANERA;
- Client has a meaning of either individual or corporate holding an account with IBANERA;
- Services have a meaning of banking and other Services provided by IBANERA to its Clients;
- Website has the meaning of website on www.IBANERA.com.
When writing ‘you’, we mean you as – a potential, existing or former Client, our Client’s employee or other parties, such as beneficial owners, authorised representatives, business partners, other associated parties or person contacting us using e–mail or other communication measures.
2. Personal Data Controller
Under the data protection law, IBANERA is the Data Controller responsible for handling your personal data processed in relation to the Services. In this context the term “personal data” means any information which can be used to personally identify you (e. g. a combination of your name and postal address).
As a Personal Data Controller, we are responsible for ensuring security of your personal data made available to us, in particular to prevent unauthorized access to your data. We are also responsible for ensuring all users with the opportunity to benefit their rights regarding their own personal data, like the right to access or erase.
When processing personal data, we follow the principles of:
- a) legality, fairness and transparency – means that the personal data with respect to you is processed in a lawful, honest and transparent way;
- b) purpose limitation – means that the personal data is collected for specified, clearly defined and legitimate purposes and shall not be further processed in a way that is incompatible with those purposes;
- c) data reduction – means that the personal data must be adequate, appropriate and is only necessary for the purposes for which it is processed;
- d) accuracy – means that the personal data must be accurate and, if necessary, updated. All reasonable steps must be taken to ensure that personal data which is not accurate in relation to the purposes for which it is processed shall be immediately erased or corrected;
- e) limitation of the length of the storage – means that the personal data shall be kept in such a way that your identity can be determined for no longer than is necessary for the purposes for which the personal data is processed;
- f) integrity and confidentiality – means that the personal data shall be managed by applying appropriate technical or organizational measures in a way, which would ensure the proper security of the personal data, including the protection from an unauthorized processing or processing of an unauthorized data against accidental loss, destruction or damage.
3. What information we collect, for what purposes and on what legal basis
3.1 Categories of personal data being processed
The personal data we collect can be grouped into the following categories:
|Type of information||Personal data|
|1. Basic personal data:||first, last, middle, maiden names, job title, etc.|
|2. Identification information and other background verification data (your, or your representatives’ and, ultimate beneficiary owner’s):||name, surname, personal identity code, date of birth, country of birth, address, nationality, citizenship, gender, passport or ID card copy and its details (e.g. type, number, issuance place and date, expiry date, MRZ code, signature), evidence of beneficial ownership or the source of funds (funds for account opening or transactions, occupation/employment information), source of wealth (information on how wealth was obtained), tax information (tax residence, tax identification number), number of shares held, voting rights or share capital part, title, visually scanned or photographed image of your face or image that you provide through a mobile or desktop camera while using our identification application, video and audio recordings for identification, telephone conversations.|
|3. Monetary operations details:||beneficiary details, date, time, amount and currency which was used, name/IP address of sender and receiver; accounts number (e. g. IBAN), details of debit cards and credit cards, including the card number, expiry date and CVC (the last three digits of the number on the back of the card), amount of transactions, income, currency, location, etc.|
|4. Information related to legal requirements:||data resulting from enquiries made by the authorities, data that enables us to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and whether you are a politically exposed person and other data that is required to be processed by us in order to comply with the legal obligation to “know your Client”.|
|5. Contact details:||registered/actual place of residence, phone number, e–mail address etc.|
|6. Special category data:||biometrical data.|
3.2 Purposes and legal basis for personal data processing
|Purpose||Legal basis||Categories of personal data|
|1. For the conclusion of the contract or for performance of measures at your request prior the conclusion of the contract.||
|2. For the fulfilment of the contract concluded with you, including but not limited to the provision of the Services.||
|3. To comply with legal obligations (e. g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania and other fraud and crime prevention purposes) and risk management obligations.||
|4. For remote identification of your personal identity||
|5. To provide an answer when you contact us through our website or other communication measures||
We do not process special category data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using the Services (e. g. in payments details).
The definitions used above are understood as follows:
Contract performance: Processing your personal data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Legal Obligations: Processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Consent: Your consent shall mean any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify your agreement to the processing of personal data relating to you. We can request from you a consent for processing when we do not have another legal basis for processing of your data.
4. How we obtain your personal data
We collect information you provide directly to us when you:
- fill in any forms;
- open a payment account or use any other of the Services;
- correspond with us;
- speak with a member of our Clients’ support team;
- contact us for other reasons.
We may collect personal data from third parties. In particular:
- we collect personal data from third parties such as public or private registers and databases. This includes information to help us check your identity, if applicable, information about your spouse and family, and information relating to your transactions;
- occasionally we will use publicly available information about you from publicly available sources (e. g. media, online registers and directories) and websites for enhanced due diligence checks, security searches and other purposes related to Client due diligence processes;
- we may collect personal data when it is provided to us by a third party which is connected to you or is dealing with us, for example, business partners, sub–contractors, service providers, merchant and etc.;
- we may collect personal data from banks or other financial institutions in case the personal data is received while executing payment operations;
- we may collect personal data from other entities which we collaborate with.
5. Our Identification Tools
“iDenfy” solution is used for comparing live photographic data or video record of yourself and your ID document, to comply with legal obligations (e. g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania and other fraud and crime prevention purposes) and risk management obligations.
The result of the face similarity (match or mismatch) will be retained for as long as it is necessary to carry out verification and for the period required by anti-money laundering laws.
We ensure that your face similarity check is a process of comparing data acquired at the time of the verification, i. e. this is a one-time user authorization by comparing person’s photos to each other. Your facial template is not created, recorded or stored. It is not possible to regenerate the raw data from retained information.
Using “iDenfy” Services, personal data is used for your identification, since “iDenfy” verifies the identity of the person in the identity document and the person captured in the photo. This process shall allow us to verify your identity more precisely and make the process quicker and easier to execute. If you do not feel comfortable with this identification method you may contact us by email at firstname.lastname@example.org for an alternative way to identify yourself.
6. Direct Marketing
We may use our existing Clients’ email for our similar goods or Services marketing. In case you do not object to the use of your email for the marketing of our similar goods and Services, you are granted with clear, free of charge and easily realisable possibility to object or withdraw from such use of your contact details.
We may also provide the information to you, if being our Client, about our products or Services by sending the messages in the web-based platform and such messages may be viewed in the messages panel, in case you do not choose the “opt-out” function in our application.
In other cases, we may use your personal data for the purpose of direct marketing, if you give us your prior consent regarding such use of the data.
In case you do not agree to receive these marketing, messages or calls offered by us, this will not have any impact on the provision of Services to you as the Client.
We provide a clear, free-of-charge and easily realisable possibility for you at any time not to give your consent or to withdraw your given consent for sending proposals put forward by us. We shall state in each notification sent by e-mail that you are entitled to object to the processing of the personal data or refuse to receive notifications from us. You shall be entitled to refuse to receive notifications from us by clicking on the respective link in each email notification.
7. How we share your personal data
We sometimes need to provide your personal information to third parties for a better performance of our Services to you. These third parties (data processors) include:
We may also transfer your personal data to:
- State Tax Inspectorate, other state and municipal institutions, bodies, organizations, and other public administration entities;
- Financial Crime Investigation Service, other pre-trial investigation bodies, courts, bailiffs, notaries;
- commercial banks, other financial institutions;
- law, finance, tax, business management, personnel administration, accounting advisors, etc.;
- external service providers (that provide such services as, for example, system development and/or improvement, audit services);
- beneficiaries of transaction funds receiving the information in payment statements together with the funds of the transaction;
- other persons with whom IBANERA intends to conclude or has concluded a contract (s);
- other persons who are required access to the data in order to exercise their legal obligations, by a legitimate interest or with the consent of the shareholders or the beneficiary;
- third parties in the case of sale of the Company to the buyer or its consultant during due diligence.
8. International transfer of personal data
In case your personal data is transferred outside the EEA or EU, we will take necessary steps to ensure that your data is treated securely and in accordance with this Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable to the personal data. This can be done in a number of different ways, for example:
- the country to which we send the personal data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;
- the recipient has signed or contains in its terms of the service (service agreement) standard data protection clauses which are approved by the European Commission;
- special permission has been obtained from a supervisory authority.
We may transfer personal data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR.
9. How we protect your personal data
The safety of your data is our top priority. You can be sure that your data is stored with utmost care. A variety of logical and physical security measures are used to keep your personal data safe and prevent unauthorized access, usage, or disclosure of it (the list indicated below is not exhaustive):
- a) We use access control policies and segregation of duties which ensure that only a restricted group of employees have access to your personal data. Staff is continuously trained about the importance of data safety and how to handle the data properly;
- b) all transactions you make through our platform after you log in are encrypted.
10. How long we keep your personal data
We will keep your personal data for as long as it is needed for the purposes for which your data was collected and processed, but not longer than it is required by the applicable laws and regulations. This means that we store your data for as long as it is necessary for providing the Services and as required by the retention requirements in laws and regulations. If the legislation of the Republic of Lithuania does not provide any period of retention of personal data, this period shall be determined by us, taking into account the legitimate purpose of the data retention, the legal basis and the principles of lawful processing of personal data.
- as long as your consent remains in force, if there are no other legal requirements which shall be fulfilled with regard to the personal data processing;
- in case of the conclusion and execution of contracts – until the contract concluded between you and us remains in force and up to 10 years after the relationship between you and us has ended;
- the personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania up to 8 (eight) years. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority;
- the personal data submitted by you through our website or via email is kept for an extent necessary for the fulfilment of your request and to maintain further cooperation, but no longer than 6 months after the last day of the communication, if there are no legal requirements to keep them longer.
In the cases when the terms of data keeping are indicated in the legislative regulations, the legislative regulations are applied.
Your personal data might be stored longer if:
- it is necessary in order for us to defend ourselves against claims, demands or action and exercise our rights;
- there is a reasonable suspicion of an unlawful act that is being investigated;
- your personal data is necessary for the proper resolution of a dispute/ complaint;
- under another statutory basis.
11. Your rights
- The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data.
- The right to access. You have the right to request from us the copies of your personal data. Where your requests are excessive, in particular if they are being sent with a repetitive character, we may refuse to act on the request, or charge a reasonable fee taking into account the administrative costs for providing the information. The assessment of the excessiveness of the request will be made by us.
- The right to rectification. You have the right to request us to correct or update your personal data at any time, in particular if your personal data is incomplete or incorrect.
- The right to data portability. The personal data provided by you is portable. You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- The right to be forgotten. When there is no good reason for us to process your personal data anymore, you can ask us to delete your data. We will take reasonable steps to respond to your request. If your personal data is no longer needed and we are not required by law to retain it, we will delete, destroy or permanently de-identify it.
- The right to restrict processing. You have the right to restrict the processing of your personal data in certain situations (e. g. you want us to investigate whether it is accurate; we no longer need your personal data, but you want us to continue holding it for you in connection with a legal claim).
- The right to object processing. Under certain circumstances you have the right to object to certain types of processing (e. g. receiving notification emails). However, if you object to us using personal data which we need in order to provide our Services, we may need to close your payment account as we will not be able to provide the Services.
- The right to file a complaint with a supervisory authority. You have the right to file a complaint directly the State Data Protection Inspectorate of Lithuania if you believe that the personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. You may apply in accordance with the procedures for handling complaints that are established by the State Data Protection Inspectorate and which may be found by this link: https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas
- Rights related to automated decision-making. You have the right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects. In particular, you have the right:
- to obtain human intervention;
- to express point of view;
- to obtain an explanation of the decision reached after an assessment; and
- to challenge such a decision.
If you would like to exercise any of these rights, please contact us at our email: email@example.com IBANERA will exercise your rights only after receives your written request to exercise a particular right indicated above and only after confirming the validity of your identity. The written request shall be submitted to IBANERA by sending it to the address of our registered office by ordinary mail, e-mail firstname.lastname@example.org or submitting such request via your account.
Your requests shall be fulfilled, or fulfilment of your requests shall be refused by specifying the reasons for such refusal, within 30 (thirty) calendar days from the date of submission of the request meeting our internal rules and GDPR. The afore-mentioned time frame may be extended for 30 (thirty) calendar days by giving a prior notice to you if the request is related to a great scope of personal data or other simultaneously examined requests. A response to you will be provided in a form of your choosing as the requester.
For more information on how to control your Cookie settings and browser settings or how to delete Cookies on your hard drive, please read the Cookies Policy available on our website.
14. Contact us
You may contact us by writing to us an email at email@example.com or post us at Phoenix Payments, UAB address J. Basanavičiaus st. 31-6, LT-03109, Vilnius, Lithuania.
15. Our Data Protection Officer
Our Data Protection Officer continuously monitors our privacy compliance and communicates with us on data protection matters relevant to the provision of our Services. You may contact our Data Protection Officer regarding all issues relating to our Company’s processing of your personal data and the exercise of your data protection rights by sending an email to the address: firstname.lastname@example.org