SALT EDGE DASHBOARD PRIVACY POLICY

Date Last Revised: August 8, 2019

Welcome to Salt Edge Dashboard, a platform provided by Salt Edge Limited allowing to view financial information relating to accounts in a consolidated way. This Salt Edge Dashboard Privacy Policy ("Privacy Policy") describes and summarizes the policies and procedures employed by Salt Edge Limited ("Salt Edge", "we", "our", "us") with respect to the collection, use, storing, processing, disclosure, sharing and protection of Personal Data provided or acquired through your use of the Services made available via our website https://www.saltedge.com/dashboard ("Salt Edge Dashboard").

Salt Edge takes the privacy of individuals very seriously. We are committed to maintaining the security, confidentiality, availability and integrity of the personal data in our custody or control, and protecting such data in accordance with the applicable legislation. The technological developments in the information society are continually evolving, along with the threats that such innovations pose to the privacy of individuals and the security of their personal data. Salt Edge will continually assess the employed security measures, both technical and organizational, in order to determine the appropriate level of protection. We regularly review our privacy and security practices and adapt them as necessary to deal with new regulatory requirements, changes in legislation and/or security standards.

To make it easier for you to navigate through this Privacy Policy and find the relevant information quickly, we have divided it into the following sections for convenience:

Section 1 – DEFINITIONS
Section 2 – APPLICATION
Section 3 – ACKNOWLEDGEMENT
Section 4 – COLLECTION OF PERSONAL DATA
Section 5 – USE OF INFORMATION
Section 6 – CHILDREN'S PRIVACY
Section 7 – DISCLOSURES AND TRANSFERS
Section 8 – LEGAL BASIS FOR PROCESSING
Section 9 – PARTNER’S ROLE UNDER THE DATA PROTECTION LAWS
Section 10 – SPECIAL CATEGORIES OF PERSONAL DATA
Section 11 – ANTI-SPAM LEGISLATION
Section 12 – THIRD-PARTY WEBSITES
Section 13 – YOUR RIGHTS UNDER GDPR
Section 14 – DATA RETENTION AND DELETION
Section 15 – PERSONAL DATA SECURITY
Section 16 – NOTIFICATION OF PERSONAL DATA BREACH
Section 17 – PRIVACY POLICY UPDATE
Section 18 – DATA PROTECTION OFFICER
Section 19 – CONTACT

1. DEFINITIONS

For the purposes of this Privacy Policy, in addition to the capitalized terms defined elsewhere in this Privacy Policy, the following terms shall have the meanings ascribed to them as follows:

1.1. "Account Information Services" means an online service to provide consolidated information on one or more Payment Accounts held by you with either another payment service provider or with more than one payment service provider, and includes such a service whether information is provided:

  1. in its original form or after processing;
  2. only to you or to you and to another person in accordance with your instructions.

1.2. "ASPSP" means the payment service provider that provides and maintains a Payment Account for you (e.g., bank, building society, electronic money institution).

1.3. "Consent" means any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of your Personal Data.

1.4. "Controller", "Data Subject", "processing" (including its derivatives), "Processor" and "Supervisory Authority" as used in this Privacy Policy shall have the meanings given to such terms in the GDPR.

1.5. "Data Protection Act" means the Data Protection Act 2018 (c.12) of the United Kingdom.

1.6. "Data Protection Laws" means the Data Protection Act, GDPR and laws implementing or supplementing the GDPR in each Member State, as amended, replaced or superseded from time to time, and that are applicable in your jurisdiction with respect to the privacy, protection, processing, collection, use or disclosure of Personal Data.

1.7. "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.8. "GDPR Consent to Transmit Data" means a freely given, specific, informed and unambiguous indication of your wishes by which you, by a clear affirmative action, give explicit consent to Salt Edge to transmit your Payment Account Data to the designated Partner.

1.9. "Partner" means the third party to whom you instruct Salt Edge to transmit your Payment Account Data based on your GDPR Consent to Transmit Data.

1.10. "Payment Account" means an account accessible online held in your name by the respective ASPSP, including but not limited to current account, e-money account, flexible savings account and credit card account.

1.11. "Payment Account Data" means the information made available from your ASPSP relating to your Payment Account, including without limitation account details (account name, number, balance, currency, etc.), transactions details (transaction amount, currency, date, description, etc.), account holder details (name, address, email, phone number) and features and benefits of your Payment Account, that is accessed and automatically retrieved by Salt Edge through the Services and presented to you in the Salt Edge Dashboard after processing.

1.12. "Payment Regulations" means PSD2 and all applicable laws or regulations in force from time to time in the respective ASPSP’s jurisdiction giving effect to PSD2, together with all regulatory technical standards, codes of practice, guidelines and/or formal interpretations issued by the relevant national competent authority with respect to PSD2 implementation.

1.13. "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes without limitation Registration Information, Payment Account Data and Personalized Security Credentials.

1.14. "Personalized Security Credentials" means the personalized features, including without limitation ASPSP’s API access tokens, username, password, access number, security questions and answers, token/SMS codes, and multifactor information, provided to you by your ASPSP for the purposes of authentication, including but not limited to strong customer authentication.

1.15. "PSD2" means the Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.

1.16. "PSD2 Consent" means the consent that you give to Salt Edge to access your Payment Account in accordance with the Payment Regulations for the purpose of providing Account Information Services to you.

1.17. "Registration Information" means the information that you provide to Salt Edge (or, in relation to your email address, that the respective Partner provides to Salt Edge on your behalf) for the purpose of setting up a User Account, including without limitation email address, password, phone number and any other information that Salt Edge may be required by law or regulation to collect for identity verification during or subsequent to registration, as the same may be updated by you from time to time.

1.18. "Special Categories of Personal Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

1.19. "User Account" means the unique user account set up with Salt Edge at the time when either you complete the account registration process or start using the Services.

1.20. "Services" means the Account Information Services, consent management functionality and any other related content, features, tools or services as made available by Salt Edge from time to time in the Salt Edge Dashboard.


2. APPLICATION

Salt Edge recommends that you read this Privacy Policy carefully and entirely to ensure that you are aware of all the practices and policies of Salt Edge in respect of Personal Data collection, use, disclosure, processing and protection. This Privacy Policy applies to all users who access the Salt Edge Dashboard and use the Services.


3. ACKNOWLEDGEMENT

By accessing the Salt Edge Dashboard and using the Services you hereby: (i) acknowledge and confirm that you are at least eighteen (18) years old, or of the legal age of majority in the jurisdiction in which you reside, and (ii) consent to the collection, use, and processing of your Personal Data as described in this Privacy Policy. Except as set forth in this Privacy Policy, Salt Edge will not use your Personal Data for any other purpose without your Consent. Salt Edge will only disclose your Personal Data to third parties strictly in accordance with, and for the purposes set forth in, this Privacy Policy. Salt Edge does not, and will not, sell, lease, license or rent your Personal Data to any third party, nor will Salt Edge use the collected Personal Data for advertising or marketing purposes unless you give your Consent for such use.


4. COLLECTION OF PERSONAL DATA

When you use the Services Salt Edge will collect information, including Personal Data, for the purpose of providing, maintaining and improving the Services, as well as complying with applicable laws and regulations. Salt Edge collects Personal Data primarily in four (4) ways:

  1. Information you provide to Salt Edge voluntarily:
    1. When you contact Salt Edge’s support team (by email or contact form in the Salt Edge Dashboard) with respect to any issues relating to the Services or communicate with Salt Edge in any other way, you voluntarily give Salt Edge information that Salt Edge collects and processes for the purposes as described in the Salt Edge Dashboard Terms of Service and this Privacy Policy. The provided information may include Personal Data such as: name, email address, phone number and financial data. When you voluntarily submit Personal Data with your enquiry or request, Salt Edge will process any such Personal Data in accordance with this Privacy Policy. In some cases, Salt Edge may require additional information, including Personal Data, in order to identify you while processing your enquiry or request. Salt Edge may also maintain records of such communications with you, including any follow-ups and subsequent feedback, for internal purposes.
    2. In order to be able to use the Services you must create a User Account. During the registration process you will have to supply your Registration Information.
    3. In order for Salt Edge to be able to provide the Account Information Services, you will have to authenticate yourself towards your respective ASPSP with your Personalized Security Credentials. The Personalized Security Credentials are always stored encrypted. Salt Edge will use the Personalized Security Credentials provided by you in order to establish a secure connection to your Payment Account in the respective ASPSP and retrieve the associated Payment Account Data in accordance with the Payment Regulations and as further described in the Salt Edge Dashboard Terms of Service.
  2. Information Salt Edge collects from ASPSPs:
    For the purposes of providing the Account Information Services to you, Salt Edge will access your Payment Account in the respective ASPSP in read-only mode based on your PSD2 Consent in order to retrieve, use, store and process your Payment Account Data.
  3. Information Salt Edge receives from Partner:
    If you have been redirected to the Salt Edge Dashboard from a Partner, Salt Edge will receive your verified email address from such Partner in order to automatically set up your User Account when you start using the Services.
  4. Information Salt Edge collects through your use of the Services:
    1. Information Salt Edge collects automatically. Each time you use the Services, Salt Edge collects information relating but not limited to: (i) which Services are being used, (ii) all the areas within the Services that you visit, (iii) the time of day when you access and use the Services, (iv) actions taken by you when using and interacting with the Services, (v) which Services or parts thereof generate error messages, and (vi) your browser, operating system, geolocation data and internet protocol ("IP") address. Salt Edge collects this information automatically as part of its technical log files or other metadata, as well as through the use of cookies, web beacons and other similar tracking technologies. All personally identifiable information collected through your use of the Services is treated as Personal Data in accordance with the terms of this Privacy Policy. Salt Edge may also use the collected information in an anonymized aggregated way (i.e., in such a manner that the Data Subject is not or no longer identifiable) for a variety of purposes, including but not limited to improving user experience, enhancing the Services and developing new services (see further Section 5.b. “Use of Non-Personal Data”).
    2. Information collected by cookies. A cookie is a data file placed on a device when it is used to access a service. Cookies or similar technologies may be used for many purposes, including without limitation remembering you and your preferences and tracking your visits to the Salt Edge Dashboard or access to the Services. Cookies work by assigning a number to users that has no meaning outside of the assigning website or application. Salt Edge uses cookies for various purposes, including without limitation tracking your movements within the Salt Edge Dashboard, analyzing trends, gathering statistical data and improving user experience and the overall quality of the Services. Salt Edge encodes and encrypts the cookies so that only Salt Edge can interpret the information stored in them. Cookies can be disabled or controlled by setting a preference within your web browser or on your device. Thus, if you do not want information to be collected through the use of cookies, you can restrict or limit the use of cookies at the individual browser or device level. However, if you choose to disable cookies some features of the Services may not function properly or Salt Edge may not be able to customize the delivery of information to you. For detailed guidance on how to control, manage and delete cookies, you are advised to visit https://www.aboutcookies.org/.
      • First-party cookies: Salt Edge uses session cookies and persistent cookies when you use the Services. These types of cookies are essential to the operation of the Salt Edge Dashboard and the provision of Services. The session cookie is stored in temporary memory and is not retained after the browser is closed. Session cookies do not collect information from your computer. They store information in the form of a session identification that does not personally identify you. The persistent cookies are set with expiration date and are stored on your hard drive until they expire or you delete them. Salt Edge does not collect any Personal Data in the session and persistent cookies. Salt Edge uses session and persistent cookies for technical purposes, including but not limited to verifying the origin of requests, distributing requests among multiple servers, authenticating you and determining what functionality of the Services you are allowed to access.
      • Third-party cookies: Salt Edge also uses third-party cookies. These third-party service providers with whom Salt Edge has contracted help analyze certain online activities and provide analytics services. Salt Edge uses the following third-party cookies: Google Analytics and Google Tag Manager. Salt Edge has integrated Google Analytics and Google Tag Manager, analytics tools provided by Google Inc., in the Salt Edge Dashboard in order to collect and analyze data about users’ activity. Google Analytics and Google Tag Manager use cookies that collect information allowing Salt Edge to understand how you interact with the Salt Edge Dashboard. Such information contains online identifiers, including cookie identifiers, IP addresses and device identifiers, which may be considered Personal Data under the applicable Data Protection Laws. Salt Edge has enabled the IP address anonymization feature that prevents the storage of full IP address information in Google Analytics cookies. Google Inc. uses the collected information to evaluate the use of the Salt Edge Dashboard and provide online reports and other related services that help Salt Edge enhance user experience. The collected information may be transferred to and stored in the U.S.A. by Google Inc. or any third-party service providers acting on its behalf. If you object to the collection and processing of such data by Google Inc., you must install a browser add-on (available at https://tools.google.com/dlpage/gaoptout) which will prevent further collection and transmission of information via Google Analytics cookies. Additional details about Google Analytics cookie usage can be found here.
    3. Information collected by web beacons. Web beacons are images (single-pixel gifs) embedded in a web page or email for the purpose of measuring and analyzing website usage and activity. Web beacons or similar technologies help Salt Edge better manage the Services, count users of the Services, monitor how users navigate the Services, count how many emails that Salt Edge sends are actually opened and, generally, measure performance. Salt Edge does not link the information gathered by web beacons to your Personal Data. Web beacons do not collect Personal Data.

5. USE OF INFORMATION

  1. Use of Personal Data: Salt Edge may use the collected Personal Data for the following purposes:
    • to provide, maintain, administer, support, protect and improve the Services;
    • to meet the regulatory compliance requirements set forth in the Payment Regulations;
    • to transmit Payment Account Data to your Partner;
    • to provide customer support;
    • to handle and process enquiries submitted by you;
    • to send system alert messages relating to the Services and your User Account;
    • to enforce compliance with the Salt Edge Dashboard Terms of Service;
    • to investigate any illegal activity or wrongdoing in connection with the Services;
    • to protect the rights, property and safety of users, Salt Edge and third parties;
    • to transfer the Personal Data in case of a sale, merger, consolidation, or acquisition. In such case, any acquirer will be subject to Salt Edge’s obligations under this Privacy Policy;
    • to store the Personal Data, in order to be able to provide the Services, on Salt Edge’s servers or servers provided by third parties, whom Salt Edge has contracted and who are committed to complying with Salt Edge’s obligations set forth in this Privacy Policy;
    • to troubleshoot, investigate and fix service-related errors. In such cases, your Personal Data may be visible to and/or accessed by technicians, IT staff and/or system administrators authorized by Salt Edge;
    • to combine Personal Data with information obtained through the use of cookies, web beacons or similar technologies, in order to improve the Services and user experience;
    • to comply with legal obligations to which Salt Edge is subject;
    • to establish compliance with the Data Protection Laws during an audit or inspection conducted by an appropriate Supervisory Authority, provided that at all times the Personal Data will remain subject to the provisions of this Privacy Policy;
    • to generate Anonymized Data and Anonymized Aggregated Data (as defined below); and
    • to respond to your requests for exercising your rights under the applicable Data Protection Laws.
  2. Use of Non-Personal Data: Salt Edge may generate anonymous data derived from or based on Personal Data collected from you or acquired from your use of the Services, which anonymous data does not relate to an identified or identifiable natural person ("Anonymized Data"), and may combine or incorporate such Anonymized Data with or into other similar data or information collected from other users or derived from other users’ use of the Services ("Anonymized Aggregated Data"). Salt Edge may use such Anonymized Data and Anonymized Aggregated Data for various business purposes, including, but not limited to:
    • providing, maintaining, supporting and improving the Services;
    • conducting analytical research, compiling statistical reports and performance tracking;
    • developing and/or improving other Salt Edge’s services and products; and
    • sharing such Anonymized Data and Anonymized Aggregated Data with Salt Edge’s affiliates, agents or other third parties with whom Salt Edge has a business relationship.
  3. Anonymized Data and Anonymized Aggregated Data are not Personal Data, and consequently the provisions in this Privacy Policy are not applicable to such data.


6. CHILDREN'S PRIVACY

Protecting the privacy of children is especially important to Salt Edge. The Services are not directed to children under the age of eighteen (18) years and Salt Edge does not knowingly solicit, collect or process Personal Data from persons under eighteen (18) years of age. If Salt Edge becomes aware of the fact that Personal Data of persons less than eighteen (18) years of age has been collected via the Services, Salt Edge will take the appropriate steps to delete such information without undue delay.


7. DISCLOSURES AND TRANSFERS

By using the Services and submitting any Personal Data to Salt Edge, you acknowledge and agree that your Personal Data may be processed in and transferred to jurisdictions other than your country of residence which may have data privacy and protection laws different than those in your country. Personal Data may be accessed by personnel authorized by Salt Edge or acting on Salt Edge’s behalf from the United Kingdom, Canada and Moldova for the purposes of troubleshooting and debugging. Your Personal Data will only be stored within the EU and will only be transferred outside EU as set forth in the GDPR. Salt Edge will take all adequate measures to ensure that Personal Data is at all times treated securely and in accordance with this Privacy Policy.

Salt Edge will only transfer and/or disclose Personal Data as specified in this Privacy Policy, unless you give Consent to the disclosure and/or transfer to any other third party.

  1. Disclosure and/or Transfer to Subcontractors: Salt Edge has put in place adequate contractual (including data protection, confidentiality and security provisions) and other technical and organizational measures with subcontractors that Salt Edge may engage from time to time in connection with the provision, operation, security and/or maintenance of the Services or part thereof ("Subcontractors"). Salt Edge will restrict access, disclosure and/or transfer of Personal Data to its Subcontractors to what is strictly necessary for the performance of such Subcontractors’ contractual obligations towards Salt Edge. Salt Edge will ensure that each Subcontractor complies with the provisions in this Privacy Policy. At the date of this Privacy Policy Salt Edge engages the following Subcontractors:
    • Salt Edge Inc. in Canada
  2. Disclosure and/or Transfer to Processors: Salt Edge may disclose and/or transfer Personal Data to Processors engaged by Salt Edge to carry out the processing of Personal Data on Salt Edge’s behalf in connection with the provision of Services. Salt Edge will ensure that any engaged Processor provides sufficient guarantees that appropriate technical and organizational measures are implemented and that processing of Personal Data by Processor will meet the requirements set forth in this Privacy Policy and the applicable Data Protection Laws. If processing of Personal Data by Processor will involve transfer by Salt Edge of Personal Data to a third country, such transfer will be subject to articles 45 and 46 of the GDPR and will take place either (i) on the basis of an adequacy decision by the European Commission, or (ii) by entering into the standard contractual clauses adopted by the European Commission, or by ensuring the respective Processor has signed up to the EU-US Privacy Shield. At the date of this Privacy Policy Salt Edge engages the following Processor:
    • Salt Edge Inc. in Canada
  3. Disclosure to ASPSPs: Salt Edge will disclose certain Personal Data (particularly, Personalized Security Credentials and in certain cases, depending on the ASPSP, your Payment Account number) to your respective ASPSP in order to provide the Account Information Services to you.
  4. Disclosure by Transmission to Partner: Salt Edge will transmit your Payment Account Data (after processing, including without limitation data enrichment, carried out by Salt Edge on such data) to the designated Partner based on your GDPR Consent to Transmit Data.
  5. Disclosure for Legal Reasons: Salt Edge may disclose Personal Data without your Consent when Salt Edge believes in good faith that the disclosure of such information is reasonably necessary or appropriate:
    • to comply with the Data Protection Laws, any subpoena, enforceable request from the competent authorities, or other legal process;
    • to enforce Salt Edge’s rights against you or in connection with a breach by you of the Salt Edge Dashboard Terms of Service, including investigation of potential violations;
    • to help detect, curb or investigate fraud or other prohibited or illegal activities that affect or hurt the interests of Salt Edge or third parties;
    • to identify, contact or bring legal action against someone who may be causing injury to, or interference with (either intentionally or unintentionally), Salt Edge’s rights or property, other users of the Services, or anyone else (including the rights or property of anyone else) that could be harmed by such activities; and
    • to help Salt Edge comply with a legal obligation to which Salt Edge is subject, or accounting or security requirements, in which case Salt Edge may disclose such information to its auditors, professional consultants, accountants and/or legal advisors.

    In all the foregoing cases, Salt Edge will disclose Personal Data only as required or permitted by the applicable Data Protection Laws.

  6. Transfer of Ownership: Your Personal Data may be disclosed and/or transferred upon change of control as a result of a sale of all or a substantial portion of Salt Edge’s assets or stock, merger, acquisition or reorganization, including any due diligence process carried out in relation to the same, provided that the Personal Data disclosed continues to be used solely for the purposes permitted by, and subject to the provisions of, this Privacy Policy by the entity acquiring access to such information. If the entire or substantial ownership of Salt Edge or Services were to change, your Personal Data may be transferred to the new owner to ensure continuity of the Services. In any such transfer of ownership your Personal Data will remain subject to the provisions of the then and current Privacy Policy. Salt Edge will provide reasonable advance notice to you via the Services and/or by email notification of any such change in ownership or control of your Personal Data or in case such Personal Data becomes subject to a different privacy policy.

8. LEGAL BASIS FOR PROCESSING

Salt Edge acts as Controller of your Personal Data processed in connection with the provision of Services. Salt Edge will adhere to the following general principles with respect to Personal Data processing:

  1. not collect more Personal Data than is necessary for the purpose of providing the Services;
  2. not use Personal Data for any other purposes than those specified in this Privacy Policy;
  3. ensure that all personnel authorized by Salt Edge to process Personal Data have committed themselves to confidentiality obligations or are otherwise under an appropriate statutory obligation of confidentiality; and
  4. not knowingly solicit, access, collect and/or process any Special Categories of Personal Data.

Salt Edge’s legal bases for processing the Personal Data collected as described in this Privacy Policy will depend on the type of Personal Data and the circumstances under which it is collected. Salt Edge will collect and process Personal Data based on the following legal bases:

  1. processing is necessary for the performance of a contract to which you are a party, particularly for the provision of the Services under the Salt Edge Dashboard Terms of Service;
  2. processing is based on your GDPR Consent to Transmit Data, pursuant to which Salt Edge discloses by transmission to the designated Partner the Personal Data indicated in such GDPR Consent to Transmit Data;
  3. processing is necessary for compliance with a legal obligation to which Salt Edge is subject; and/or
  4. processing is necessary for the purposes of the legitimate interests pursued by Salt Edge as the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require the protection of Personal Data.

If there is another legal basis for Salt Edge to collect and process Personal Data, Salt Edge will provide the required notification to you at or before the time the Personal Data is collected.

If you voluntarily submit or provide Personal Data to Salt Edge when contacting us with an enquiry or request relating to the Services, Salt Edge Dashboard, your User Account or otherwise, you will be deemed to have given Consent to the collection, use and processing of Personal Data by Salt Edge as reasonably necessary to carry out the specific purpose(s) for which you have provided the Personal Data. Salt Edge will rely on such implied Consent as if it were given to Salt Edge under normal circumstances.


9. PARTNER’S ROLE UNDER THE DATA PROTECTION LAWS

By transmitting your Payment Account Data to the Partner designated in the GDPR Consent to Transmit Data, such Partner, as the receiving party, will act as an independent Controller with respect to the transmitted Personal Data. Therefore, the Partner is solely responsible for complying with its obligations as Controller as set forth in the applicable Data Protection Laws, including without limitation with respect to the processing, confidentiality and security of your Personal Data by Partner after transmission of such data by Salt Edge. Salt Edge will not responsible for any subsequent processing carried out by any Partner to whom Salt Edge transmits your Personal Data based on your GDPR Consent to Transmit Data. Salt Edge will only be responsible for the transmission of your Personal Data and ensuring that it is transmitted securely and to the right destination.


10. SPECIAL CATEGORIES OF PERSONAL DATA

Salt Edge will not solicit from you, nor will we knowingly collect or process, any Special Categories of Personal Data. You are requested at all times to refrain from voluntarily providing any Special Categories of Personal Data by any means of communication to Salt Edge.


11. ANTI-SPAM LEGISLATION

Salt Edge is committed to controlling unsolicited commercial email, or “spam”. In this respect, Salt Edge will include an “unsubscribe” or “opt-out” link in any informational emails that we may send to you from time to time. You can opt out of receiving such informational emails by following the instructions included in the emails. Salt Edge will not sell, lease or rent its email subscribers lists to any third party, nor will Salt Edge use the collected email addresses for purposes other than those for which they were initially collected without your Consent. You can not opt out of receiving any emails that Salt Edge is required by law or regulation to provide to you in connection with the Services, such as system notification emails, notification on changes or updates to this Privacy Policy or the Salt Edge Dashboard Terms of Service, or other important mandatory notifications relating to your use of the Services.


12. THIRD PARTY WEBSITES

The Services may include links to, or otherwise direct your attention towards, websites operated and controlled by third parties (including without limitation Partners and ASPSPs) and not by Salt Edge. Such links are provided solely for your convenience and informational purposes. Access to any third party website is at your own risk, and you must be aware of the fact that linked websites have terms and privacy policies different from those of Salt Edge and Salt Edge does not control them. If you decide to provide any Personal Data when accessing such links or using the services provided by such third parties, the respective third parties, and not Salt Edge, will be responsible for complying with the obligations set forth in the applicable Data Protection Laws in respect of any Personal Data you submit to them and any processing activities carried out by such third parties on your Personal Data.


13. YOUR RIGHTS UNDER GDPR

Taking into account the nature of the processing and the type of Personal Data processed, you have the right to exercise the following rights as set forth in the GDPR:

  1. the right to be informed: you have the right to receive fair processing information about your Personal Data processed by Salt Edge.
  2. the right of access: you have the right to obtain: (i) confirmation that your Personal Data is being processed, and (ii) access to such Personal Data.
  3. the right to rectification: you are entitled to have Personal Data rectified if it is inaccurate or incomplete.
  4. the right to erasure (right to be forgotten): you have the right to request the deletion of your Personal Data when there is no compelling reason for its continued processing or, where the Consent is the legal basis for processing, you withdraw Consent to such processing.
  5. the right to restrict processing: you have the right to block processing of your Personal Data on the grounds specified in the GDPR.
  6. the right to data portability: you may request to receive free of charge a copy of Personal Data stored in Salt Edge’s systems in a structured, commonly used and machine-readable format, or have Salt Edge transmit the data directly to another organization, if this is technically feasible.
  7. the right to object: you have the right to object to: (i) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), (ii) direct marketing (including profiling), and (iii) processing for purposes of scientific/historical research and statistics.
  8. rights in relation to automated decision-making and profiling: you have the right to object to processing of Personal Data for the purposes of automated individual decision-making (making a decision solely by automated means without any human involvement) and profiling (automated processing of Personal Data to evaluate certain things about an individual).
  9. the right to lodge a complaint with a Supervisory Authority: you have the right to lodge a complaint about Salt Edge’s data protection and privacy practices, or the exercise of any of your rights with respect to your Personal Data, with your local Supervisory Authority.
  10. the right to withdraw Consent: provided that the Consent is the legal basis for processing, you may withdraw Consent to Salt Edge’s processing of Personal Data at any time. You may also withdraw your GDPR Consent to Transmit Data at any time by using the consent management tools available in the Salt Edge Dashboard or by contacting us.

You may exercise any of the foregoing rights at any time by contacting Salt Edge at privacy@saltedge.com. Salt Edge will endeavor to respond to any requests submitted by you in the manner and as set forth in the GDPR. Where your requests for exercising your rights under GDPR are manifestly unfounded or excessive, in particular because of their repetitive character, or further copies of the Personal Data undergoing processing are requested, Salt Edge may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested.


14. DATA RETENTION AND DELETION

Salt Edge will retain Personal Data for no longer than strictly necessary for the purposes for which such Personal Data is collected and processed. The retention period depends on the requirements of the applicable laws or regulations Salt Edge must comply with, the purposes of the collection and processing of Personal Data, and the legitimate interests of Salt Edge to establish, exercise or defend our legal rights.

Salt Edge will delete your Personal Data from our production servers when:

  1. you exercise the right to be forgotten or, if applicable, withdraw Consent;
  2. you delete your User Account or such account is terminated by Salt Edge as described in the Salt Edge Dashboard Terms of Service;
  3. Salt Edge deletes your User Account if is inactive for more than six (6) months; or
  4. Salt Edge terminates the provision of Services under the Salt Edge Dashboard Terms of Service.

As a result of the deletion, your Personal Data associated with your User Account will be deleted and excised permanently from Salt Edge’s production servers, subject to Salt Edge’s right to generate Anonymized Data and Anonymized Aggregated Data prior to such deletion. Further use of the Services by you will be impossible. Notwithstanding anything to the contrary in this Privacy Policy, Salt Edge will retain your Personal Data or portions thereof:

  1. in backup files on its backup servers for a period of up to one (1) month from the date of deletion from the production servers in order to ensure compliance with internal business continuity and disaster recovery procedures; and
  2. in log files in order to: (i) comply with the requirements of the applicable laws or regulations, (ii) exercise or defend (ongoing) legal claims, and (iii) meet audit or statutory requirements. The retention period for Personal Data retained in log files shall be a minimum of five (5) years from the date of deletion from the production servers, or such longer period as required by the applicable laws, unless subject to statutory or regulatory change.

Backups and log files containing Personal Data are stored separately from the production servers. All Personal Data retained in backup files and log files will be treated in accordance with the terms of this Privacy Policy for as long as it is retained before being automatically deleted after the retention period has elapsed.

Backup files are stored using strong asymmetric encryption and Salt Edge’s authorized personnel don’t access such files in the ordinary course of business operations, nor will Salt Edge actively process any Personal Data retained in backup files anymore.


15. PERSONAL DATA SECURITY

  1. Online Confidentiality:
    1. You must keep secure the access credentials for your User Account and never disclose them to any third party. You are solely responsible for maintaining the confidentiality of such access credentials. If you suspect that the access credentials have been stolen or become known to others, you must change them immediately and contact Salt Edge promptly at support@saltedge.com. Salt Edge shall not be responsible for any loss or damage resulting from access to your User Account through Registration Information or access credentials obtained from you or through violation of this Privacy Policy or the Salt Edge Dashboard Terms of Service.
    2. Although Salt Edge will take appropriate measures to ensure that your Personal Data is treated and stored securely, unfortunately, the sending of information via the Internet is not totally secure and on occasion such information may be intercepted. Therefore, Salt Edge cannot guarantee the security of Personal Data that you choose to voluntarily send to Salt Edge via electronic means. Salt Edge expressly disclaims all liability for any interception or interruption of any Internet transmissions sent by you or any losses of or changes to data, including Personal Data, resulting from such interception or interruption.
  2. Personal Data Safeguards: Salt Edge is committed to maintaining the confidentiality, integrity and security of the Personal Data of users. Salt Edge employs advanced security techniques to safeguard Personal Data against unauthorized access, use and/or disclosure. Salt Edge strictly restricts access to Personal Data in accordance with specific internal procedures governing access to such information. Salt Edge carefully selects the individuals privileged with access to Personal Data in accordance with internal security policies and practices, and each such individual is bound by confidentiality obligations. The Services ensure secure communications with TLS encryption. To maintain the security of online sessions and protect Salt Edge’s systems from unauthorized access, Salt Edge uses a combination of firewall barriers, encryption techniques and authentication procedures, among others. Access to Salt Edge’s systems requires multiple levels of authentication, including biometric recognition procedures. Security personnel monitor the systems 24/7. Salt Edge databases are both physically and logically protected from general employee access. Salt Edge enforces physical controls on its premises. Salt Edge is routinely verified for its use of encryption technologies and audited for its privacy practices. Salt Edge tests its systems, the Salt Edge Dashboard and Services for any failure points that might allow hacking.

16. NOTIFICATION OF PERSONAL DATA BREACH

If a security breach causes an unauthorized intrusion into Salt Edge’s systems, software or networks that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data under Salt Edge’s control ("Personal Data Breach"), Salt Edge will notify the appropriate Supervisory Authority(ies) unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of affected users. Salt Edge will report the Personal Data Breach to the appropriate Supervisory Authority without undue delay after having become aware of it and in any case within the timeframes as provided for in the applicable Data Protection Laws, by including all the pertinent information relating to such Personal Data Breach as required by the applicable Data Protection Laws. When the Personal Data Breach is likely to result in a high risk to the rights and freedoms of affected users, or if required by the appropriate Supervisory Authority, Salt Edge will also communicate the Personal Data Breach to the affected users without undue delay.


17. PRIVACY POLICY UPDATE

Salt Edge reserves the right to change this Privacy Policy at any time and from time to time in order to reflect changes in the Services or the applicable laws. If Salt Edge decides to change this Privacy Policy in the future, Salt Edge will post an appropriate notice at the top of this Privacy Policy page and/or give you reasonable advance notice through the Services or by email. Any non-material change (such as clarifications) to this Privacy Policy will become effective on the date the change is posted and any material changes will become effective thirty (30) days from their posting in the Salt Edge Dashboard. Unless stated otherwise, this Privacy Policy applies to all Personal Data collected and processed by Salt Edge in connection with the Services. The date this Privacy Policy was last revised appears at the top of this document. You are advised to print a copy of this Privacy Policy for reference and revisit this Privacy Policy from time to time to ensure that you are aware of any changes. Your continued use of the Services after the changes to this Privacy Policy become effective signifies your acceptance of any such changes.


18. DATA PROTECTION OFFICER

Salt Edge’s data protection officer can be reached at any time by email at dpo@saltedge.com in case of any questions with respect to Salt Edge’s collection, use, disclosure or processing of Personal Data. Salt Edge is also registered with the Information Commissioner’s Office in the United Kingdom (reference number: ZA516320).


19. CONTACT

Any questions, comments or feedback regarding this Privacy Policy or any other privacy or security concern may be sent by email to support@saltedge.com.

Salt Edge Limited
Level 39, One Canada Square, Canary Wharf
London E14 5AB
United Kingdom