Privacy Policy
Introduction
We are pleased you have decided to use the services of a Fintech platform (hereinafter referred to as the “Platform”) operated by occollo s.r.o., ID 073 32 084, with its registered office at Dlouhá st. 730/35, Old Town, 110 00 Prague 1, a company registered in the Commercial Register kept by the Municipal Court in Prague, file No. C 299210 (hereinafter referred to as the "operator").
Our Platform is intended to enable you to invest quickly and clearly in specific development products (Loan Project). To be able to operate the Platform efficiently we process your personal data but only to the extent necessary and with a high degree of security. We process personal data in two modes. On the one hand in the management of personal data processing rules, acceptance of which is a condition for setting a user account on the Platform and also in the management of consent to the processing of personal data which the Platform user (data subject) grants voluntarily and which he/she may revoke at any time.
In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council from 27th April 2016 (GDPR), the rules for the processing of personal data are as follows:
The text explains:
What information do we process?
What sources does this information come from?
For what purposes do we process information?
Who can process your data?
How long do we keep personal data?
What method we use for data processing
What are your legal rights when processing personal data?
What information do we process?
In the following section we will show you what (personal) data we process within the Platform:
Basic identification data
Name, surname, personal identification number, birthdate, address, nationality. For legal entities, the data stated in the Commercial Register, basic information on the legal entity's representative where applicable.
Login and registration data
Password, username, a copy of the identity document (within the scope of the legal obligation), possibly other login elements.
Contact information
Postal address, phone, e-mail, social network identifiers. IP address or identification of the user's communication device.
Bank details
These are account numbers, thanks to which we identify your person and match the detected payments with your person.
Information on the use of the Platform
We use information about visited websites, used applications or products within the Platform to control and improve its functionality.
Interaction with Platform users
To ensure continuity in communicating with you we record information about the contacts made between you and us. These are mainly data such as date (or time) of the contact, contact reason and if the contact was initiated by you or us. This applies to contacts via all channels – phone, SMS, chat, mail, e-mail, personal meeting with the operator.
Loan/trust project data
In case you use the Platform as a Lender, we process information about the Loan project that you provide us with. We use this data to check and verify the information continuously received. This also includes information used to classify Loan Projects.
Data we process about you in order to fulfil our legal obligation
This is the data which we primarily must collect, evaluate, and store for a specified period of time in order to fulfil our legal obligation. This is, for example, an archiving obligation under the laws which regulate the area of our business, obtaining and evaluating data for the purpose of fulfilling obligations in the prevention of money laundering and a number of other laws. For example: sources and origin of income, capital interconnectedness, nationality, residency, scope of business, political affiliation, etc. Based on your marketing consent, we will also be able to process this data for marketing purposes.
Data which we process about you for the purpose of our legitimate interests
Typically, this is the data used to ensure the safe use of our products and services, assessment of credibility and solvency, prevention, and evaluation of possible fraud, etc. Based on your eventual consent we will also be able to process this data for marketing purposes.
What sources does this information come from?
We obtain data processed within the Platform only from the operation of the Platform or directly from users of the Platform.
For what purposes do we process information
Within the Platform, we process information about you for the following reasons:
Fulfilment of our legal obligations (for example - the obligation to identify users of the Platform).
Fulfilment of our obligations and commitments to you the customer within the Platform.
Streamlining the operation of the Platform.
Communication with you, answering your questions, informing about your chosen Loan/Trust Project, communication with technical support.
For registration and cataloguing of users.
For carrying out tests and trials required by legislation (e.g., measures against money laundering and terrorist financing) or contractually.
For completing individual c contracts, filing in forms inside or outside the platform, resp. any necessary use of personal data for the intermediary activity of the operator.
To ensure mutual contact between the lender and the borrower including the mutual transfer of individual personal data between both parties.
To ensure operational and business communication of the platform with individual users, including sending of information messages and commercial communications, however, exclusively in accordance with Act No. 480/2004 Coll., on certain services provided by information company and on amendments to certain Acts (Act on certain services provided by information company), as amended.
The user in the position of the lender acknowledges that their personal data, to an appropriate extent, may be transferred to the borrower. The user in the position of the borrower acknowledges, that his personal data may be disclosed to an appropriate extent to an open circle of persons.
Who can process your data
The administrator of (personal) data is the operator, i.e., occollo s.r.o. Regulation of personal data protection allows the administrator to authorize a processor to process the personal data. The processor of personal data is every user who processes personal data on the basis of special law or credentials or authorization by the administrator.
Functional and analytical cookies
Cookies is a short text file sent by the visited web page to the browser. Functional and analytical cookies mediate the basic functionality of the site. The platform cannot work without them. We use cookies, for example, to store your safe searching settings, to ease the registration of new services and to protect your data. The user is not identifiable on the basis of this information, not even with the use of other information processed about you. Cookies are not a danger and are not used to obtain sensitive personal data.
Third-party cookies are processed and managed by third parties and we do not have access to read them. Such third parties are:
Google Ireland Limited. based in Gordon House. Barrow Street. D4 Dublin. Ireland
Seznam.cz. a.s ., with its registered office at Radlická 3294/10. 150 00 Prague 5
Facebook Ireland Limited. based at 4 Grand Canal Square. D2 Dublin. Ireland
Common internet browsers allow you to turn off working with cookies in your settings. See your browser's help and follow the instructions. If you have consented to the use of cookies in your browser, we will take it that you agree to the use of cookies on our websites. Keep in mind that with cookies turned off, the comfort of providing our services can be significantly reduced.
How long we keep personal data
We process your (personal) data for the period of your use of the Platform and for a maximum of 36 months. The duration of the trust relationship is also considered to be the use of the Platform which has been or will be agreed with you through the Platform. If we do not need your personal data due to our legitimate interests. we will remove these without undue delay after termination of your use of the Platform.
However, your (personal) data may still be processed afterwards. after the above period has elapsed or your consent to the processing of personal data has expired, but only if there is another legal reason for its processing and only to the extent required by such legal reason. Such a legal reason could be the fulfilment of a legal obligation (especially tax and accounting obligations) as well as processing, necessary for the purposes of the legitimate interests of the operator or a third party (especially or the period of the user's right to exercise rights against the operator).
Method of data processing
We process processed data on users of the Platform only for the necessary time and to the necessary extent. As a rule, only two persons on the administrator's side (i.e., the operator) and two persons on the processor's side have access to the data. Personal data is technically protected against unwanted data leakage.
The guest server is located in the data centre in a securely locked rack cabinet. Only dedicated people have access to the data centre and to the rack cabinet itself. Access to the server database is performed through authentication, i.e., user and encrypted password. Access to the database server is restricted from the outside by the user's rights and the server's firewall - the network port is opened only to dedicated IP addresses. Access to the files is possible via FTP and SSH with authentication, i.e., user and encrypted password. Access to FTP and SSH server is guarded against dictionary attacks and firewall. In the case of an SSH server, the network port is opened only to dedicated IP addresses. The network itself is also protected by a professional Hinet firewall Fortinet where DDoS attacks are also filtered. The internal network is then protected by VLan. Server data is backed up daily to a separate disk array. Advance rotation is after 7 days. The data disk of the server runs in multi-RAID mode. Network devices and the power supply of the physical server also have redundancies. The guest server runs in the Cloud system in HA Cluster mode. The entire application is secured using the https protocol. Passwords in the database are encrypted. The application verifies access and rights to individual actions not only at the request level but also directly before performing the action itself. The application uses techniques versus SQL injections. Your data is stored in secure data repositories in the European Union.
Personal data will be processed manually and automatically to the extent in which they were provided. The platform operator is obliged to protect personal data to the same degree or better than required by law. Users' personal data will be securely stored in electronic or paper form. If some of your data will be stored in paper form, which would obviously be an exception, these will be kept in a safe, where access to this data will be available only to the operator's manager and, where applicable, one person designated by the manager. Personal data stored in paper form will be stored and processed under similar conditions to electronic data. The inspection and shredding of paper media of personal data will take place twice a year.
To protect users and the platform, the operator is entitled to monitor and evaluate the user's activity on the platform by any technical means.
What are your legal rights when processing personal data?
When processing your personal data, you have, in particular, the following rights:
Access to personal data - Access to personal data means the user's right to obtain information (confirmation) from the administrator on the basis of an active request, whether or not this personal data is processed and if it is processed, the user has the right to obtain this personal data and at the same time has the right to obtain information related to the processed data.
Right to correct personal data - The user has the right to correct their personal data which concerns them.
Right of deletion - The administrator (operator) is obliged to destroy personal data if at least one condition is met:
Personal data is no longer needed for the purposes for which it has been collected or otherwise processed, the user revokes the consent, in case the consent was required for processing and there is no other legal reason for processing.
The user objects to the processing and there are no overriding legitimate reasons for the processing.
Personal data has been processed illegally.
Personal data must be deleted in order to fulfil a legal obligation.
Personal data were collected in relation with the offer for the services made by an information company pursuant to Article 8 par. 1 of the general regulation (GDPR). The right to data erasure is not an absolute right which would give the user the possibility to request the deletion of personal data at any time and in any situation.
Right to data portability - The essence of the right to data portability is the possibility for the user to obtain personal data under certain conditions which concern them and which they have provided to the administrator and given the right to pass this data on to another administrator.
Right to object to the processing of personal data - The user has the right to object to the processing of personal data at any time for reasons related to their specific situation. The administrator does not further process personal data unless there are compelling legitimate reasons for the processing which outweigh the interests or the rights and freedoms of the user, or to determine, exercise or defend legal claims. Users have the right to contact the Office for Personal Data Protection (www.uoou.cz) with a suggestion or complaint if the personal data administrator or the processor does not comply with the request for removal of the defective information; however, you can also contact this office directly at any time.
The right not to be the subject of any decision based solely on automated decision-making - This right guarantees the user that it will not be the subject of a decision based solely on automated processing except for possible exceptions. The situation is not considered an automatic decision when the user does not formally meet the requirements set by the Platform.
The above principles are valid from April 9, 2019.