Last Updated: 2021-07-30

1. PRIVACY POLICY OBJECTIVE AND ITS APPLICATION

Kevin EU, UAB (hereinafter referred to as the „Company“) values your trust and is committed to ensure proper protection of your personal data. We respect your privacy and pledge to process and protect your personal data in a fair and lawful way in accordance with the applicable legal requirements of the European Union (General Data Protection Regulation 2016/679) (hereinafter referred to as the „GDPR“) and the Republic of Lithuania.

This Privacy policy explains how we collect and process the personal data about people who use our payment initiation and account information services. This Privacy policy provides information about the scope of processing personal data, the purposes, sources, recipients, and other important aspects of personal data processing.

In this Privacy policy, we describe what personal data we collect and process about people who use our payment initiation, account information services, clients and their representatives, visitors of this website, people that consented to receive direct marketing messages, job applicants for the vacant job position.

We may process your personal data for purposes other than those described in this Privacy policy. If this is the case, we will provide you with a separate privacy statement informing you about such processing.

Please note that additional information might be provided in Terms and Conditions, contracts, and other documents provided by us.

We may change this Privacy policy at any time at our sole discretion, therefore, you have a responsibility to make sure that you are familiar with the latest version of the Privacy policy.

2. DEFINITIONS

The following definitions when used in this Privacy policy have the same meaning as stipulated in the GDPR and is as follows:

Personal data means any information relating to an identified or identifiable natural person („data subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Personal data processing means any operation or set of operations which is performed on personal data or on sets or personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Company means Kevin EU, UAB, legal entity code 304777572, Lvovo str. 25-104, LT-09320, Vilnius, the Republic of Lithuania.

3. CONTACT INFORMATION

Due to the requirements of the GDPR, the Company has appointed a Data protection officer.

If you would like to find out how we process your personal data or if you wish to exercise any of your rights as a data subject, please contact our data protection officer via e-mail [email protected].

You can contact the Company also via e-mail [email protected] or mail Lvovo str. 25-104, LT-09320 Vilnius, the Republic of Lithuania.

4. PERSONAL DATA

We collect personal data about you directly from you in order to initiate payment for goods or services, in order to receive information about bank accounts, when you enter into a contract with us or while representing another person, send your CV, as well as other information related to your employment.

We may also collect information about you from a third party (such as your bank or merchant from who you buy goods or services), where you have given your explicit consent for your information to be transferred to the Company in order to initiate payment and receive bank account information.

Your personal data also might be obtained indirectly from other organisations (such as Linkedin) where you have explicitly consented to your information to be transferred, specific register and information systems, also such sources as State Social Insurance Fund Board, etc.

We will collect and process your personal data in accordance with the applicable laws and regulations.

We may use and transfer your personal data for several different purposes and we rely on different legal grounds while processing it. Depending on whether you are a person who uses payment services, a representative of a current or potential client of ours or a website visitor, the below information sets out what categories of personal data we process, for what purpose and legal ground we rely on when processing the personal data. We also describe how we collect your personal data and who we may transfer it to, as well as the legal ground that allows us to do so.

Provision of payment initiation service

We provide payment initiation services in accordance with the rules established in the Payment Law of the Republic of Lithuania and the principles of good practice of Payment initiation prepared by the Bank of Lithuania. We will process the personal data received for this purpose, only in order to provide the payment initiation services.

We may use your personal data to initiate payment for goods or services you seek to acquire.

We will only collect the personal data in order to initiate payment that you seek to initiate. If you do not submit such a request (give your explicit consent), we will not be able to initiate the payment. We will not collect any data from you or other sources that is not necessary to render the payment initiation services.

We will only process your personal data after you agreed that the merchant or the service provider will transfer your personal data to us. If you do not give a consent to the merchant or the service provider to transfer your personal data to us, we will not be able to initiate payment.

We need to process your personal data in order to initiate payment services, to identify you, to initiate the payment, to authentify the payment as well as to confirm the payments.

Depending on the payment initiation service model chosen by our client (merchant or service provider), we may collect the following personal data: order number provided by merchant or service provider, transaction details (order amount, description (purpose), status), bank account number, bank account name, unique authentication keys (tokens) created by the bank and the Company that are linked to your bank account number.

In certain cases, we may collect your bank login number, personal identification number, telephone number, one-time authentication security code.

In certain cases when you choose to pay for the goods or services using your credit or debit card, the Company may also collect and process your credit or debit card’s information (credit or debit card number, owner (name and surname), expiry date and card verification value).

The amount of personal data we collect and process in each case depends on the requirements of your bank and payment initiation service model chosen by the merchant or service provider.

After particular payment is executed, the merchant who you acquired goods or services from and you will be informed about the payment status. We will inform you about the payment status via e-mail.

The legal basis for processing your personal data is the performance of a contract between you and the Company and the compliance with a legal obligation to which the Company is subject.

In certain cases when you seek to initiate payment to another natural personal, we will process the following personal data of the payee: bank account number, transaction details (currency, description (purpose), status. In such a case the legal basis for the processing of personal data of the payee is the legitimate interest of the Company.

We will process personal data for as long as we need it to fulfil the purpose the data was collected for. Personal data about you will not be stored for a longer period than 3 years after the payment initiation.

We review our data retention periods regularly and we are legally obliged to retain some personal information as part of our statutory requirements.

Provision of account information service

We provide account information services in accordance with the rules established in the Payment Law of the Republic of Lithuania. We will process the personal data received for this purpose, only in order to provide account information services.

We may use your personal data in order to provide you with the consolidated information about your bank accounts. We will only process your personal data when you actively ask us to provide you with the consolidated information about your bank accounts. Without such a request, we will not be able to provide you account information services.

In order to provide consolidated information about your bank accounts, we collet the following the personal data : your bank login ID, personal identification number, telephone number, one-time authentication security code, bank account number, bank account name, used bank accounts amount, unique authentication keys (tokens) created by the bank and the Company that are linked to your bank account number, bank account balance, bank account transaction history.

The legal basis for processing your personal data is the performance of a contract between you and the Company.

Consolidated bank account information can be transferred to third parties in order to assess your credit evaluation or for other legitimate purposes only upon your consent.

We will process personal data for as long as we need it to fulfil the purpose the data was collected for. Personal data about you will not be stored for a longer period than 3 years after account information is provided.

Implementation of the „Know your Client“ principle and prevention of money laundering and terrorist financing

We may process personal data in compliance with legal requirements related to implementation of the „Know your Client“ principle and prevention of possible money laundering and terrorist financing, prevention of fraud, detection, investigation and informing of such activity.

For this purpose, we may process the personal data of our Client’s representatives, directors and shareholders and / or other persons.

We may process the following personal data: name, surname, a unique sequence of symbols intended to identify the person, date of birth (if a person is not a citizen of Republic of Lithuania), the number and period of validity of the residence permit in the Republic of Lithuania and the place and date of its issuance (if a person is not a citizen of Republic of Lithuania), address, citizenship, the country of issuance of the identification document (in cases of a stateless person), workplace (in cases of Client’s director), image, personal identification document details, equity of the legal entity’s shares/voting rights/control (in cases of shareholder and beneficiary), signature, other data required by the Law on Prevention of Money Laundering and Terrorist Financing.

Following the legal requirements related to the implementation of „Know your Client“ principle and prevention of possible money laundering and terrorist financing, prevention of fraud, detection, investigation and informing of such activity, we may process your image (in the form of a photograph or live image) (biometric data) for identification purposes. Your image and personal identification document are combined in order to check if you are the owner of the presented personal identification document.

The Company may also process personal data of people who certify copies of documents or delegation. We may process the following personal data: name, surname, workplace, signature, other data required by the Law on Prevention of Money Laundering and Terrorist Financing.

Personal data are collected and processed on the basis of the legal obligation imposed on the payment initiation service provider, i. e. us. Your biometric data (your image) shall be processed on the basis of your consent (when image is processed for identification purposes). If you do not consent with processing of your biometric data, please contact Ondato, UAB (Service provider that provides The Company an identification platform) for another method of identifying your identity.

We will process personal data for as long as we need it to fulfil the purpose the data was collected for and following the legal requirements. Personal data will be stored for 8 years after the termination of the business relationship with the Client. The data retention period may be extended for a period not exceeding 2 years, provided there is a reasoned request from a State Authority. Such data retention period is required by the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania.

Performance of the Company‘s Agreements

We will process personal data of our Clients’ employees as well as our service providers in order to perform the agreements.

In such a case, we may process your personal data such as: name, surname, messaging content.

In cases when the Company enters into Agreements with a natural person, the Company will also process personal identification code, contact details (e-mail address, telephone number, address), other data that may be required to perform an agreement.

The basis for the processing of data is the performance of a contract between you and the Company and legitimate interest of the Company.

Personal data indicated in this section will be processed for as long as the agreement is in effect. If personal data are indicated in the agreement, they will be stored for 10 years as of the date of expiration of the respective agreement.

Handling Costumer’s complaints

The Company‘s customer, the payment service user has the right to file a complaint against the Company related to the payment initiation services provided by the Company.

If you submit a complaint, your personal data will be processed on the basis of a contract or on the basis of the fulfilment of the Company‘s legal obligations or legitimate interest of the Company to defend against the legal claims. Also, your personal data might be processed on a basis of your consent in case you provide your personal data that is not required.

For this purpose your personal data will be stored in accordance with the terms established by the applicable laws and regulation.

Client support

We value your feedback and we want to understand what we can do to improve our services. Therefore, you can contact us in order to receive assistance on your question or concern as well as any time that you are seeking to implement your rights.

If you contact us, we will process your personal data by collecting your contact details through the source you chose to contact us (via e-mail, post or any other way).

All personal data will be processed on the basis of your consent which is expressed by your actions by sending us a question, concern or request.

Your personal data will be stored for 1 year after certain question, concern or request was sent to us. In some individual cases, in accordance with the applicable legal requirements, your personal data might be stored longer.

Processing personal data for recruiting purposes

You can send us your data in order to join our Company. Your personal data you present for the purpose of recruiting for the vacant job position in our Company will be processed based on your consent, expressed by submitting your personal data.

We collect and process your CVs and/or motivation letters, and/or other information submitted by you at the time of participation in the selection for the purpose of recruitment and on the basis of your consent which you give to us or to the recruitment company by sending your curriculum vitae.

If you do not submit your curriculum vitae and/or motivation letter, we will not be able to assess your suitability for the offered position.

Please comply with personal information protection requirements and do not send us excessive information. Please observe at least the following minimum requirements for the protection of your personal information by sending personal data to us: do not indicate excessive or unnecessary personal data either in the subject line of the letter or query, or in the attached CV, in motivational letters, in other files: personal identification code, health or other special personal data, financial data, bank account number, family member data, car licence plate number, etc.

All personal data will be stored until ongoing recruitment process is finished. Please note that on basis of your consent we could store and use personal data you sent for the purposes of later recruitment for up to 1 year. Once you have given such a consent, you are entitled to withdraw it at any time, without prejudice to lawfulness of personal data processing based on such consent until the withdrawal of the consent. If you exercise this right, we will immediately take action to destroy your personal data.

Please note that in order to evaluate your candidacy, we may contact the former employers you have indicated for their recommendations and may ask them about your qualifications, professional skills and business qualities. We can request such information from your current employer only if we have your separate consent for this.

Direct marketing

In cases you provided your contact information and expressed explicit consent to receive marketing information from us, the Company’ may contact you by phone or via e-mail providing you with the information about the Company’s services or submit other promotional material. e may send out commercial offers, newsletters and other advertising material.

We may process the following personal data for direct marketing purposes: name, surname, workplace, phone number, e-mail address, other information that persona may provide, date of consent.

If you are our Customer and have not objected to our direct marketing messaging (by phone or e-mail), we may use your personal data without explicit consent offering you similar products and/or services for which your personal data were originally collected via e-mail or phone. In such a case your personal data will be processed on the basis of our legitimate interest.

Your data will be used for direct marketing purposes for 1 (one) year as of the receipt of your consent or after provision of services.

You have the right to refuse direct marketing at any time by contacting us via e-mail on [email protected].

5. DATA PROCESSORS. DATA RECIPIENTS

We can disclose your personal data to our employees, managers, service providers such as auditors, your Bank or merchant.

Moreover, we can disclose information about you:

  • If we must do this under the law (state institutions, law enforcement institutions and other persons in accordance with the procedure established by laws of the Republic of Lithuania);
  • In order to protect our rights or interests (including the provision of your data to third parties in order to recover your debts to us);
  • In order to sell a part of Company’s activities or assets, where we disclose your personal data to the potential buyer of the activities or a part thereof;
  • Having sold the activities of the Company or a substantial part thereof to third parties.

We may also provide personal data to other persons upon receiving your written consent.

Your personal data will not be transferred to third countries and/or international organisations.

Except in cases provided in this Privacy Policy, we do not transfer your personal data to any third parties.

If we disclose your personal data to groups of recipients other than those specified in this Privacy policy, we will inform you as soon such personal data are disclosed for the first time, unless we have already provided you such information earlier.

6. COOKIE POLICY

We may use cookies on this website.

Cookies are little text files that are stored on the Internet browser or hard drive of your computer or mobile device when you visit our website. Cookies work to make your experience browsing our website as smooth as possible. They are designed to improve the functionality and use of the website, also for the purposes of analysis.

We monitor the traffic of the website and collect information on the number of visitors browsing the website, the domain name of internet service providers of visitors, etc.

Cookies can be stored for varying lengths of time on your Internet browser or device.

Most Internet browsers accept cookies, but a person can change the Internet browser settings so that cookies would not be accepted. However, in this case, some functions may not work.

All information about cookies used by this website, their purpose, validity, and the data used are given in the table below:

CookieExpiry datePurpose
__cfduidAfter 1 yearCloudflare service cookie used to secure from external attacks. Required to use the website.
_gaAfter 2 yearsGoogle Analytics cookie used to distinguish users.
_gidAfter 24 hoursGoogle Analytics cookie used to distinguish users.
_gidAfter 1 minuteGoogle Analytics cookie used to throttle request rate.
frAfter 3 monthsUsed by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
mf_#After 3 monthsMouseflow cookie collects anonymous data of the user's navigation and interaction on the website in order to personalise the browsing experience.
_lfaAfter 2 yearsLeadfeeder cookie registers data such as IP-addresses, time spent on the website and page requests for the visit.

7. SECURITY OF YOUR PERSONAL DATA

Your personal data will be processed pursuant to the requirements set out in GDPR, the Republic of Lithuania Law on Legal Protection of Personal data and other legal acts.

In the course of processing your personal data, we implement organizational and technical measures which ensure the protection of personal data from an accidental or unlawful destruction, alteration, disclosure and any other unlawful processing. These measures may include, among other, encryption, physical access security, auditing and other appropriate technologies.

8. YOUR RIGHTS

This section contains information about your rights related to the processing of your personal data carried out by us and cases where you can exercise these rights. If you would like to receive more information on your rights or to exercise them, please contact us via e-mail indicated in this Privacy policy.

We will provide information on actions taken on a request with regard to implementation of your rights without undue delay and in any event within 1 (one) month of receipt of the request. In consideration of the request complexity and the number of received requests, the aforementioned term may be extended for 2 (two) further months. In this case, we will notify you of such term extension and reasons for it within 1 (one) month as of the receipt of request. We will refuse to implement your rights only in cases provided for in the legal acts.

Your rights are as follow:

The right to be informed

As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this Privacy policy.

The right of access

We want you to fully understand how we use your personal data and not to experience any inconvenience because of that. You can contact us at any time and ask if we process any of your personal data. If we store or use your personal data in any way, you have the right to access them.

We will provide access to the personal data we hold about you as well as the following information: the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data has been disclosed, the retention period or envisioned retention period for that personal data, when personal data has been collected from a third party, the source of the personal data.

The right to rectification

When you think we process inaccurate or incomplete personal information about you, you may exercise your right to correct or complete certain personal data. This may be used with the right to restrict processing to make sure that incorrect/incomplete personal data is not processed until it is corrected.

The right to restrict processing

You have the right to ask us to restrict the processing of your personal data or to object to their processing:

During the period required for us to verify the accuracy of your personal data when you submit claims with regard to data accuracy;

In cases of unlawful collection, storage, or use of your personal data where you decide not to request data;

When we do not need your personal data anymore, but you need them for the establishment, exercise, or defense of legal claims;

During the period required to determine if we have an overriding legal basis to continue processing your personal data if you exercise your right to object to the processing of your personal data.

The right to erasure (the right „to be forgotten“)

Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have unlawfully processed. We will take all reasonable steps to ensure personal data erasure.

The right to data portability

You have the right to the portability of data obtained by us under your consent or for the purpose of agreement conclusion. If you exercise this right, we will transfer a copy of the data provided by you.

The right to object

You have the right to object to the use of your personal data by us:

  • In cases where we use such data in order to implement our legitimate interests but we do not have an overriding legal basis to continue using your personal data; or
  • At any time when we use your personal data to send newsletters or for direct marketing purposes. In such a case, the data will not be used for these purposes anymore; however, they may be used for other legitimate purposes.

If you believe that your rights of the data subject have been and/or may be violated, please promptly contact us via email indicated in this Privacy policy. We ensure that as soon as we receive your complaint, we will contact you within a reasonable period and inform you about the complaint handling process, and them about its result.

If the handling results are unsatisfactory to you, you will be able to submit a claim to the supervisory authority – the State Data Protection Inspectorate (www.vdai.lrv.lt).

Detailed information about the implementation of the data subject’s rights is provided in the Company’s Procedure For the Implementation of Rights of the Data Subjects.

9. PRIVACY POLICY REVIEW

We may update or amend this Privacy policy at any time. Such an updated or amended Privacy policy will come into effect as of its publication on our website. You should check it from time to time and make sure that you find the current version of the Privacy policy acceptable.

After making an update to the Privacy policy, we will notify you about any changes that we consider material by publishing them on our website.

The latest update to the Privacy policy was made on 30 July 2021.