The companyFUNDAUS OÜ, registration number: 14643807, legal address: Harju maakond, Tallinn, Nõmme linnaosa, Tina tn. 9, 10126, (hereinafter – Controller) the owner of the platform placed on homepage www.fundaus.com (hereinafter – Platform), in connection withprovision of crowdfunding services (hereinafter – Service) performs natural person personal data (hereinafter – Data) processing activities.
Data processing is performed also by the Controller’s security agent FUNDAUS TRUST AGENT OÜ, registration number: 14810464, legal address: Harju maakond, Tallinn, Kesklinna linnaosa, Tina tn. 9, 10126, who iscustodian of collateral (hereinafter – Joint controller). Controller and Joint controller (both together hereinafter – Joint controllers) jointly determine Data processing purposes and means.
The Privacy Policyapplies tonatural person, who intends to use or uses the Controller’s provided Service (hereinafter – Customer) and to natural person,who is closely connected to person (natural person or legal entity) which intends to use or uses provided Services, who’s risk affects legal entity’s money laundering and terrorist financing risk level (hereinafter – Connected person), i.e. Beneficial Owner, representative, member of ownership structure, management board member or director. The Connected person Data processing is defined by requirements of Estonian and European Union legislation regarding prevention of money laundering and terrorist financing activities.
The Privacy Policy informs the Customer and Connected person (both hereinafter – Data subject)on the main Data processing principles performing Data collection, retention and transfer, as well as on on Data subject’srights regarding the processed Data.
Acceptance of the Privacy Policy is defined as Data subjectagreement with Data processing principles and is equated to the Data subject consent with Data processing. The Privacy Policy acceptance is also defined as an entrustment to implement Connected person Data processing and confirmation of rights to give such entrustment in the name of the respective Connected person.
Data processing principlesapply only to natural person and are based on the Estonian Data Protection Act (hereinafter – the Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter - GDPR).
The access to Data is provided to the Joint Controllers employees, which ensure Data confidentiality during performance of their working duties on a basis of employment agreement and after its termination.
The Privacy Policy informs on another undertakingstowhich Data are transmitted in order to process it on behalf of the Controller and on the Joint controllers defined purposes.Unauthorized person access to Data without the consent of Data subject is restricted, excluding occasions mentioned in the Act and GDPR requirements.
The Privacy Policy may be revised and updated at any time informing Data subject about changes by posting the revised and updated Privacy Policy on the Platform homepage.
The Privacy Policy takes effect upon its posting on the Platform homepage.
In the case of any neÑessity to receive additional information concerning the Privacy Policy Data subject can contact the Controller by writing an e-mail to [email protected].
Joint controllers process submitted Data performing Data exchange.
Joint controllers’ respective responsibilities for the fulfillment of obligations, relevant actual functions and relationships with respect to Data processing are defined in the agreement concluded between them (hereinafter – the Agreement).
Data subject is entitled to become acquainted with the basic conditions of the Agreement related to the Joint controlling of the Data on its written request.
The Controller processes Data for the following purposes:
Use of cookies - in order to verify Data subject, remember its personal Platform account preferences, maintain and improve it. More information on cookies is available at Cookie Files Usage Policy.
Identity verification - in order toascertain and verify Data subject’s identity, conclude contract and provide Service.
Platform account support - in order to create and maintain the Platform account, support its functioning.
Performance of due diligence - in order to perform Data subject research in compliance with the requirement of the Estonian and European Union legal regulation related to prevention of money laundering and terrorist financing activities.
Reminders and notifications - in order to remind about incomplete Platform account creation, notify about changes in provided Service and other changes that might affect Data subject’s rights and obligations.
Data subject can refuse reminders and notifications by informing the Controller via e-mail.
Sending information - in order to communicate with Data subject in commercial and marketing purposes.
Data subject can refuse communication in the defined purpose by informing the Controller via e-mail.
in order to fulfill accounting and financial obligation, provisions of the Estonian law and regulations of the Controller internal control system any information from any Data category may be used.
Data processing purposes are interconnected with provision of Service, which may be provided only if the Data subject submits the Controllernecessary Data determined in Data category.
Controller processes the following Data categories:
Identification data - name, surname, personal identification code, residence or seat address.
Identity document data - copy of identity document.
Due diligence data - including, but not limited to information regarding source of funds, economic activity, information whether the person is a politically exposed (PEP)[1]or sanctioned person, tax residence address.
Platform account data - information regarding creation and activities (logins, IP-addresses, etc).
Financial data - information regarding performed transactions, bank accounts or payment system accounts.
Contact data - information regarding residence or seat address, e-mail address and phone number.
The Controller transfers Data to another undertaking in order to achieve defined purposes and on a legal basis ensuring that undertaking had taken obligations not to divulge transmitted Data.
Identity verification service provider - Data subject identification and verification is carried out via electronic identity verification service provider where Data subject submits identity verification information.
Third party - in order to protect Controller’s legitimate interests.
Joint controller - Data transmission to security agent, who is custodian of collateral in connection with a secured loan (for detailed information relevant Terms and Conditions).
Outsource service providers - in order to fulfill Controller’s obligations using outsourcing service, Data can be transferred to accounting, communications, legal, IT, compliance service providers, payment intermediaries, credit institutions, etc.
State authorities - Data transmission to state institutions or organizations when these obligations are arisen from Estonian legislation are obligated.
Data collected for the purposes of implementation of due diligence measures are retained for 5 years after the termination of the business relationship or an occasional transaction.
Data collected for the purposes of fulfilment of accounting obligations are retained for 7 years after the termination of a contractual relationship.
Data may be stored for a longer period, but the period for which the Data are stored should be limited to a strict minimum.
To exercise any of the rights Data subject can send to the Controller a request using an e-mail [email protected]. The exercise of a right must be clearly designated in the request provided to Controller.
The request is answered without undue delay within a month after it has been received. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Controller informs Data subject of the extension period and the reason of delay. The information upon request is provided in electronic form unless is otherwise requested.
If the Controller does not take an action on the request it informs Data subject on the reasons at the latest within one month of receipt of the request. Information on Data issued upon request is free of charge, but compensation for any reasonable costs associated with dealing with the request may be demanded.
Controller keeps right to request additional information concerning Data subject and its representative’s right to receive information and to request of rectification and erasure of Data. Controller keeps rights to refuse to act on the request in case when it is manifestly unfounded or has an excessive character. Controller also may restrict Data transmission or not transmit it in the case provided by Estonian legislation.
Data subject is entitled to:
Data subject is entitled to request prompt rectification of the incorrect Data and completing of the incomplete Data.
Data subject is entitled to request prompt erasure of Data if one of the following conditions exists:
The request to erase Data may be denied if there is a legitimate legal ground for doing so.
Data subject is entitled to restrict processing of Data where one of the following applies:
Data subject is entitled to receive information on each enterprise and person who was informed on Data rectification or erasure or restriction of processing Data upon its request.
Data subject is entitled to receive Data and transfer them to another Data controller insofar Data have been provided based on Data subject content and the processing is carried out by automated means. This right does not apply to Data created by Controller.
Data subject has right to withdraw the consent to Data processing.
if Data subject finds that the rights listed above are violated upon processing of Data, it is entitled to address with compliant the Estonian Data Protection Inspectorate https://www.aki.ee/en/39 Tatari Street, 10134, Tallinn, Estonia, telephone (from abroad add +372) 627 4135, [email protected]
To enhance effectiveness of Data protection measures and ensure compliance with the Act and GDPR requirements Data Protection Officer who’s involved in all Data protection issues is appointed and notified through the Data Protection Inspectorate Enterprise Portal.
Version 1. In force from the 1stof March, 2020[1] PEP a natural Politically Exposed Person who is or who has been entrusted with prominent public functions including a head of State, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d'affaires and a high-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a State-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organization, except middle-ranking or more junior officials; 2) )PEP family member - the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person; a child and their spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person; a parent of a politically exposed person or local politically exposed person; 3) PEP close associate - a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a politically exposed person or a local politically exposed person; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person or local politically exposed person.