Application Privacy, Cookie and Data Use Policy

1. THIS POLICY

1.1 This Policy, together with our Terms and Conditions (T&C) and other our contractual documents, explains how any personal data we collect from you, that you provide to us, or that we receive indirectly from third parties (e.g. persons that may represent you, registers, state authorities, etc.) will be processed by us or any processor on our behalf.

1.2 This Policy is applied to our T&C and other contractual documents used. You are therefore advised to read it carefully. Terms used within it shall have the meaning(s) given in the European General Data Protection Regulation (Regulation), as applicable.

1.3 This Policy together with the T&C apply to your use of mobile app once you have downloaded our application (App) from Google Play Store or Apple Store into your mobile telephone or other device or by registering for user account with us (Account) or by getting any of the services accessible through the App, you accept the practices described in this Policy. 

1.4 Any changes we make to this Policy will be posted on this App and, where appropriate and possible, will be notified to you by SMS, by email and/or when you next laucnh the App. You are advised to check back frequently as any changes will be binding on you when you continue to use the App after the date of the relevant change.

1.5 For more information relating to your rights under this Policy, please see section 10.

1.6 If you have any queries relating to this Policy, please take a look at our data related FAQs or contact us at compliance@bobofin.com.

2. WHO WE ARE

2.1 We operate the App, and we process your personal data together with other Bourgeois Bohème Fintech group companies (further in this Policy together referred as “we”).

2.2 Your data will be processed on our behalf by subcontractors that we use for carrying out our activities and provision of services that you requested for example, performance identity verification and KYC/AML compliance checks, payment services, hosting a website and an information technology system, partner credit institutions for protecting funds or carrying out payment operations, etc., (Subcontractors). The subcontractors process your data only exclusively in the framework of the latter’s activities. The Subcontractors are not authorised to use your personal data for their own behalf. We contractually impose on Subcontractors to comply with the obligations of security and confidentiality, to implement appropriate technical and organisational measures so that data processing is carried out in a manner that complies with applicable regulations and guarantees the protection of your rights.

2.3 Data controllers may provide us services related to data processing from time to time. We will operate on the terms of a written agreement with these data controllers relating to your personal data.

2.4 The functions of data protection officer (DPO) are assumed by the General Manager of the Company, Simon Isaev.

3. YOUR MAIN PERSONAL DATA PROCESING CONDITIONS

3.1 By registering for Account and/or otherwise using the App, you:

3.1.1 provide us and our Subcontractors with the personal data necessary to allow you to use the App, make transactions through it or to get any of the services accessible through the App;

3.1.2 confirm that you are aware that the processing of your personal data may be performed by us and/or Subcontractors, and or other data controllers, and/or those specifically listed third parties, in accordance with this Policy; and

3.1.3 confirm that are aware that your personal data may be transferred to those third parties listed in this Policy, for the reasons specified.

3.2 You may object to your data processing under 3.1 at any time. However, where the objection prevents us or our Subcontractors from verifying your identity or otherwise monitoring who you are, you will be unable to use your Account, payment devices and make transactions through our App. You may exercise your rights under 11.1 at any time, which includes your objection to our processing of your personal data. However, where this withdrawal prevents us from performing our contract with you, we may not be able to provide our services to you.

4. WHAT WE COLLECT

We may collect all or some of the following categories of data from you:

• Title;
• Full name;
• Date of Birth (or personal number);
• Nationality;
• Full address;
• Proof of address (e.g. invoice for utility services);
• Email;
• Phone number;
• Bank account;
• Card number;
• Device data;
• Personal document number;
• Personal document issue and expiration dates;
• Copy of personal document;
• Selfie (i.e. App user‘s photo);
• Source of income, Source of Wealth or Source of Funds;
• Results from Politically Exposed Persons (PEP) Screening & Sanction screening;
• Any additionally required Know Your Customer (KYC) data;
• Any additional personal data required for proving Source of Funds (e.g. job contract, certificate of inheritance, etc.);
• Information for our internet access logs, such as but not limited to internet protocol (IP) addresses, browser types, internet service providers (ISP), referring/exit pages, operating systems used, date/time stamps, and click stream data;
• Details of transactions you carry out through our App or any payment device, including date, time, amount, currency, Mastercard exchange rate, transaction text, transaction identifier, beneficiary details, merchant or ATM location, merchant category code and other transaction specific details provided by card or bank scheme network;
• If you contact us, we may keep a record of that correspondence;
• We may use your personal data to target advertising to you, unless you do not express your disagreement. We attempt to advertise products and services in which you have expressed an interest in some previous communications with us. We may, at our discretion, target advertising by using email, direct mail, telephones, cell phones, and other means of communication to provide promotional offers.

4.2 In addition to the above, we will also provide you with your Account Details, which includes your username which is either created by, or assigned to, you. The Account Details should be remembered by you, but will be stored by us in case you forget them.

4.3 Specific categories of processed personal data may also be in separate sections of this privacy policy. 

4.4 All categories of personal data which are collected by us are indicated in Procedure for performance and maintenance of records of data processing activities. 

5. HOW WE COLLECT YOUR DATA

The data listed in section 4 is collected in the following ways:

5.1 By you registering for an Account – this is any information you give to us that we request from you when signing-up for an Account within our App or by contacting us (e.g. by e-mail or via chat functions on the App).

5.2 Information collected – each time you visit our App through a network on your own mobile device Subcontractors may automatically collect:

5.2.1 technical information – your IP address (used by your device to connect to the internet) and any version details; and

5.2.2 information about your visit – means the links you have clicked on, in the App; and

5.2.3. transaction information – including date, time, amount, currencies used, exchange rate, beneficiary details and etc.; and

5.2.4. Content information – information stored on your mobile telephone or other device, including contact information, in case you allow to access it (e.g. address book, login information, photos, videos or other digital content and etc.).

5.3 Received from third parties – we and our Subcontractors work closely to verify your eligibility for an Account, payment, delivery services, and etc. We will also perform searches in global and local data bases when we are required to do this by law or for business purposes (e.g. PEP or Sanction list, credit ratings, etc.) and get personal data from the state authorities.

5.4 Additional information provided by you directly – this is any information you provide to us related to the performance of our services and/or based on other purpose (e.g. provision of the queries, phone calls that may be recorded). 

5.5. Location information – this is information that allow us to determine your location (e.g. GPS technology, IP address). You can withdraw your consent at any time by disabling location permission. 

6. COOKIES

6.1. Cookies are not used to process your personal data under this Policy.

7. WHAT WE DO WITH YOUR DATA

7.1 Your data is primarily necessary to verify who you are when accessing your account and to ensure you meet our eligibility requirements in order to submit an application for an account. We or our Subcontractors will use all or a part of your data for performance of our obligations under T&C and provision of other related services to you and/or for compliance with a legal obligation, to which we or our Subcontractors are subject to and performance of internal administration activities. 

7.2 Additionally, we will use all or a part of your data you provide us to notify you about:

7.2.1 services of interest for you; 

7.2.2 changes to our App or our services.

7.3 We and our Subcontractors use any data we collect about you (as a result of your visit to our App) to:

7.3.1 personalise and improve our services (including the App and its security);

7.3.2 deal with your inquiries and requests;

7.3.3 administer and monitor traffic and behaviours on our App for analysis, testing, research, statistical and survey purposes;

7.3.4 ensure that any part of our App (including any Content) is presented in the most effective manner for you and your device, and to make improvements (where necessary); and

7.3.5 keep our App safe and payment devices secure.

7.4 Where we change our services, or any applicable terms and conditions, we will contact you. For more details please see clause 1.6 of the Policy.

7.5 Any data we obtain about you from third parties (Subcontractors or other data controllers) is used for the purposes of verifying your eligibility to submit an application, and/or to download our App, and/or to perform payment transactions, and/or get any of the services accessible through the App. 

7.6 The data we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who work for us or one of our suppliers. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

8. HOW AND WHY WE DISCLOSE YOUR DATA

8.1 Subject to the rest of part 8 of this Policy, we will only disclose your personal data to the third parties which shall be considered as data processors for the following purposes:

8.1.1 credit-checking/reference agencies and fraud prevention agencies – in order to verify your identity, perform transactions you instruct on us, for the purposes of fraud detection or protection, or in other situations involving suspicious and/or illegal activities. We may as well perform a search of your credit file, if this is necessary and/or required to deliver our services to you;

8.1.2 to process the transactions – in order to allow you to make the payment(s) through your payment devices within the App;

8.1.3 banking, including Electronic Money Institutions, and financial service partners such as banking intermediaries, international payment services providers and regulated distribution agents – in order to perform our services and payments;

8.1.4 card and other payment devices‘ manufacturing/personalisation and delivery companies – in order to produce and create your payment device(s), and to deliver it to you either by air mail, courier or personally;

8.1.5 our approved email provider - in order to be able to send emails to you (please note that only your email address is provided to approved email provider);

8.1.6 analytics providers – for performance of App‘s troubleshooting, data analysis, testing, research, usage tracking and for the purposes of fraud detection or protection, or in other situations involving suspicious or illegal activities;

8.1.7 other approved services providers – in order to ensure the proper functioning and provision of the services (e.g. IT services provider, cloud storage providers, auditor, accounting services provider, etc.). In order to provide a proper service for all of our products, we may disclose data to any member of the Bourgeois Bohème group, so that the data may be provided to any subsidiaries, affiliates or Bourgeois Bohème related entities. 

8.2 In addition to the transfers contemplated by part 8.1, we or our Subcontractors may transfer or disclose your personal data to:

8.2.1 comply with any legal obligation required under legal requirement (e.g. to state authorities);

8.2.2 enforce any part of our T&C and/or any other agreements between you and us or to investigate potential breaches; or

8.2.3 protect our rights or our property, or those of our other Account holders. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. 

8.3 Any websites which are linked to the App are outside of our control and not covered by this policy. If you access those websites using the links provided, the website operators may collect information from you which will be used by them in accordance with their own privacy policies (if any). These policies may differ from ours, and we cannot accept any responsibility or liability in respect of these.

9. SECURITY

9.1 Each member of the staff can access the systems only by using unique login credentials. Staff has access to personal data only for the purposes of performing their roles.

9.2 You may set a password in order to access certain parts of our App. You are responsible for keeping this password confidential. We ask you not to share a password with anyone. 

9.3 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach, where we are legally required to do so.

9.4. We seek to put in place appropriate technical and organisational measures to help protect your personal information from unauthorised access, use, disclosure, alteration or destruction consistent with applicable Data Protection Laws. Nevertheless, we have to inform you that the transmission of information via the Internet is not completely secure. We cannot guarantee the security of your data transmitted to our App, so that any transmission is at your own risk.

10. RETAINING YOUR INFORMATION

10.1. We are obligated to retain personal data about you and your transactions for such time until the retention of your personal data is no longer necessary for any business or legal purpose, i.e. in order to comply with anti-money laundering and countering the financing of terrorism and other obligations applicable to us. 

10.2 Once collected, we may retain your data related to financial transactions for up to 8 years following the date of your last transaction or the date you close your Account (whichever is the later). This time limit may be additionally extended if a reasonable ground exists.

10.3 The personal data storage period is set based on the below principles:

10.3.1 Usually, we keep the data during the course of the provision of services, during the validity of the contract and 10 years after the expiration of the contract or legal relationships, while executing the requirements set forth in legal acts related to document archiving and in order to declare, execute or defend the legal claims. 

10.3.2 If the transaction has not been concluded, we will store personal data for 3 years from the date of its receipt. If a transaction is refused, due to the implementation of money laundering and terrorist financing prevention measures, personal data shall be stored for 8 years from the moment of refusal.

10.3.3 According to the requirements of legal acts regulating the prevention of money laundering and terrorist financing, we will process personal data for 8 years from the date of receipt. This time limit may be additionally extended if a reasonable ground exists.

10.3.4 For the purposes of direct marketing, while providing information regarding similar services that we have provided to you and/or you expressed the interest into them, according to the basis of legitimate interest, we process personal data during the term of the contract with you and during 3 years after the expiration of the contract or until you will object to the receipt of such messages.

10.3.5. For the purpose of direct marketing and according to your consent, we process your personal data for no longer than 5 years after receiving your consent, or until you revoke your consent regarding data processing. This provision is only applied for non-customers that did not expressed the interest into our services to our services. 

10.3.6 If you revoke your consent for data processing or the data processing term expires (when the data is processed on the basis of your consent), only the data confirming the fact of your consent is retained for 6 years from the end of the consent period or the cancellation of consent in order to declare, execute or defend the legal claims.

11. YOUR RIGHTS

11.1 In relation to all of your personal data, you have the following rights (in addition to any rights you may have under the Regulation and the Law):

11.1.1 to access to your personal data, i.e. this enables you to receive a copy of the personal data we hold about you;

11.1.2 to clarify what data we hold about you, how it was obtained, to whom it has been disclosed and for how long it will be stored;

11.1.3 to amend any inaccurate data we hold about you;

11.1.4 to delete any of your data (where you no longer think we need to hold it or you think we have obtained it or processed it without your consent at any time); 

11.1.5 to object to processing of your personal data, i.e. to process your personal data in limited circumstances or for limited purposes (e.g. process your data for direct marketing purposes);

11.1.6 to forward the personal data you provided (in case it is on the basis of consent or contract, and if they are processed by automated means) to another data controller or transferred to you in a structured, commonly used and computer-readable format, if it is technically possible;

11.1.7 to stop the processing of personal data, except if we process personal data due to the legitimate interest of us or other person to whom personal data are provided, and your interests are not more important;

11.1.8 to withdraw consent at any time where we are relaying on consent to process your personal data;

11.1.9 not to be the subject only to automated processing, including profiling;

11.1.10 to submit an appeal on the actions or inactions of us, related to the implementation of the data subject's rights to the respective Data Protection authority that is located in member state of the European Union where you reside; and

11.1.11 compensation, which you must apply for to the competent court that is located in member state of the European Union where you reside, if you have suffered damage as a result of a violation of the data subject's rights, you are entitled to.

11.2 If you wish to exercise any of your rights at any time, please contact us on the details contained at the beginning of this policy in the first instance. We will require you to verify your identity to us before we provide any personal data, and reserve the right to ask you to specify the types of personal data to which your request relates. We will try to respond to your legitimate requests within one month. Occasionally, it may take us longer than one month if request is complex or you have made a number of requests. 

11.3 Where you wish to exercise any of your rights, they may be subject to payment of a nominal administration fee (to cover our costs incurred in processing your request) and any clarification we may reasonably require in relation to your request. Such fees may be charged where we consider (acting reasonably) that your request is excessive, unfounded or repetitive.

11.4 Any data provided to you in accordance with your rights will be in a structured and machine-readable form.

11. YOUR RESPONSIBILITIES

12.1. You confirm that you have provided correct data about yourself in every required form and that afterwards, when changing or adding any data to the App, you will enter only correct data. We will not tolerate invalid, false or otherwise incorrect data and will pursue actions in accordance with its legal obligations. You shall bear any losses that occur with regard to the submission of invalid, false or otherwise incorrect data.

12.2 We draw your attention to the fact that email address and any other contact information you have chosen to link to your Account are used for your identification and communication. You undertake responsibility to protect these instruments and logins to them. You are responsible for password disclosure and for all operations performed after you use the password for a relevant account. We recommend to memorize your passwords and not to write them down or enter anywhere where they may be seen by other persons.