VALOS – PRIVACY NOTICE FOR CUSTOMERS
Last update: 22 November 2024
1. INFORMATION ABOUT THE COMPANY
This privacy notice (the “Privacy Notice”) outlines how Lumen Digital Oy (a Finnish limited liability company with business identity code: 3438158-5) (“Company”, “we”, or “us”) process personal data of customers and their representatives (“customer”, “you”, or “data subject”).
Personal data includes any information related to an identifiable individual, such as name, address, email address, telephone number, or identification documents. Protecting our customers’ personal data is of utmost importance to us. As part of Valos Group, we adhere to unified data protection principles across all group entities to ensure your information is handled responsibly and securely.
Our data processing practices comply with the European Union’s General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Finnish Data Protection Act (1050/2018, as amended). This Privacy Notice aims to inform you about the nature, scope, and purpose of the personal data we collect, use, and process, as well as your rights as a data subject.
If you have any questions regarding the processing of your personal data or wish to exercise your rights under GDPR, please contact us at: support@valos.io.
2. WHY AND HOW WE PROCESS YOUR PERSONAL DATA
2.1 Delivering Our Products and Services
We process your personal data to deliver and develop our products and services. The types of data we process include:
(a) Basic information and contact details: This includes information you provide when using our services, which may include but is not limited to your full name, date of birth, social security number or personal ID number, residential address, nationality, email address, and phone number.
(b) Service usage information: This includes details about your interactions with our services and platform (e.g., clickstream data, session duration, and pages visited), and transaction and commercial information (e.g., type of crypto-asset transacted, wallet addresses, timestamps, and currency amounts).
(c) Essential cookies and tracking technologies: We use cookies and similar technologies to enable essential website functionality. By default, strictly necessary cookies are enabled to ensure the core functionality of our platform.
The legal basis for this processing is our legitimate interests (Art. 6(1)(f) GDPR). Without this necessary information, we cannot provide our services.
2.2 Preventing and Detecting Financial Crimes
We process personal data to prevent and detect money laundering, terrorist financing, and other financial crimes, and to ensure our customers are not on any applicable sanctions lists. This involves:
(a) Basic information and contact details as outlined above.
(b) Know your customer (KYC) information: This includes details needed to identify and verify you and the source of your funds/wealth, such as identification document number, issuer country, copy of identification document, proof of residency, source of funds/wealth, proof of occupation, account purpose, cryptocurrency addresses and transactions, financial information.
(c) Legal entity details: Applicable to legal entity customers, this includes industry, registration details, commercial register extracts, financial information, beneficial owner register extracts, information on beneficial owners and directors (name, date of birth, residential address, nationality), and PEP status.
(d) Information from screening services and blockchain analytics tools: This refers to data obtained from specialized services that analyze blockchain transactions and screen for risks, including checks against lists of politically exposed persons (PEPs), sanctions, and other high-risk profiles.
(e) Information from other financial institutions in partnership with us: This includes data shared with us by our partner financial institutions, such as user identities, transaction details, or account activities (e.g., “travel rule” information).
The legal basis for this processing is compliance with a legal obligation (Art. 6(1)(c) GDPR).
2.3 Customer Service and Relationship Management
We use your data to manage customer service and relationships. This includes:
(a) Basic information and contact details as previously detailed.
(b) Service usage information.
(c) Essential cookies and tracking technologies.
(d) Non-essential cookies and tracking technologies: We use non-essential cookies and similar technologies to store user preferences, and support analytics or advertising activities. Non-essential cookies, such as those used for analytics and personalized advertising, are activated only with your explicit consent.
(e) Customer relationship management data: This includes past and current contracts, customer documentation, and event-related information.
(f) Correspondence data: Such as your name, email address, phone number, and account details.
(g) IP addresses and device information: This includes data such as your IP address, device type, model, operating system, browser type, screen resolution, and other technical specifications.
The legal basis for this processing is our legitimate interests (Art. 6(1)(f) GDPR). Without this information, our ability to offer our service safely and sustainably would be severely hampered.
2.4 Marketing Communications
We may process your personal data to inform you about our products, services, and special offers that may be of interest to you. The types of data we process for marketing purposes include:
(a) Contact information.
(b) Non-essential cookies and tracking technologies.
(c) Service usage information.
The legal basis for this processing is your consent (Art. 6(1)(a) GDPR) or, in certain cases, our legitimate interests (Art. 6(1)(f) GDPR). You have the right to withdraw your consent or object to marketing communications at any time. Without this data, we cannot provide tailored marketing or personalized recommendations.
2.5 Ensuring Service Security
To ensure the security of our services and to prevent, detect, and investigate abuses and unlawful activities, we process:
(a) Basic information and contact details.
(b) Service usage information.
(c) Customer relationship management data.
(d) Correspondence data.
(e) IP addresses and device information.
The legal basis for this processing is our legitimate interests (Art. 6(1)(f) GDPR). Without this information, our ability to offer our services safely and sustainably, as well as monitor compliance with our Terms of Service, would be severely hampered.
2.6 Additional data processing based on consent
To enhance user experience, personalize content, and analyze platform usage, we will, with your consent, utilize:
(a) Non-essential cookies and tracking technologies.
The legal basis for this processing is your consent (Art. 6(1)(a) GDPR). Non-essential cookies and tracking technologies are only activated when you provide explicit consent. Without this information, our ability to analyze platform usage, optimize service delivery, and offer personalized experiences would be significantly limited.
2.7 Compliance and Accounting
We process and store personal data for accounting purposes and to comply with other legal obligations. This may include user identifiers (such as user IDs) and, where applicable, other information like names and transaction details that are necessary for our accounting records.
The legal basis for this processing is compliance with a legal obligation (Art. 6(1)(c) GDPR).
3 PROFILING ACTIVITIES
We do not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on you. Our platform may use minimal profiling to enhance functionality, improve user experience, and ensure service security. This involves analysing data patterns like user interactions and browsing behaviour to detect security risks, optimize services, and personalize your experience. The data used includes service usage, device information, and website interactions. We conduct this profiling under our legitimate interests (Art. 6(1)(f) GDPR) to maintain a secure and user-friendly platform while respecting your data rights.
4 SOURCES OF PERSONAL DATA
We collect personal data from various sources, including:
(a) Directly from you: When you use our services and during the customer onboarding process.
(b) External sources: As specified in section 2 above, we receive information from third party service providers and similar external sources.
5 COOKIES AND ONLINE TRACKING TECHNOLOGIES
5.1 General
We use cookies and similar technologies to ensure our platform functions properly and to enhance your experience. Cookies are small text files stored on your device by your web browser when you visit a website. They serve a variety of functions, such as enabling essential features, improving site performance, and personalizing content. Cookies may be set by us (first-party cookies) or by third parties (third-party cookies) providing services on our behalf.
5.2 Categories of Cookies We Use
Essential cookies are necessary for the basic operation of the site, like user authentication and security, and are always enabled. Non-essential cookies, used for analytics, performance, and personalization, require your explicit consent before they are activated.
For more details about the specific types of cookies we use, their purpose, and how you can manage your preferences, please refer to the information available on our website.
(a) Necessary Cookies: These cookies are essential for the proper functioning of our services and therefore they cannot be switched off. They enable core functionalities, such as security, network management, and accessibility.
(b) Preference Cookies: Preference cookies enable our website to remember your preferences and settings, such as your language selection or region. These cookies enhance your experience by personalizing content to your preferences.
(c) Statistics Cookies: Also known as analytical cookies, these cookies collect anonymized data on how users interact with our website. This information helps us analyze usage patterns and improve the functionality and performance of our site. We only use these cookies with your consent.
(d) Marketing Cookies: Marketing cookies are used to deliver personalized advertisements and track the effectiveness of our marketing campaigns. They may also be used by third parties to show you relevant ads on other websites. These cookies are only activated with your explicit consent.
5.3 Cookie Consent Management
We are committed to giving you control over your personal data, including how cookies are used on our platform. Upon your first visit, you will be presented with a cookie banner or consent tool allowing you to manage your preferences for non-essential cookies. You can adjust your consent settings at any time through the cookie settings page or your browser’s cookie management options. If you have any questions about managing your consent or rights, please contact us using the details provided in this Privacy Notice.
5.4 Links to Other Websites and Content of Third Parties
Our services may contain links to third-party websites, which are provided for your convenience or informational purposes. Please note that we have no control over the content, functionality, or data practices of these external websites. As a result, we do not assume responsibility for the accuracy, relevance, or security of the information provided by these sites. Additionally, any cookies or tracking technologies used by these external websites are beyond our control, and we recommend reviewing the privacy and cookie policies of the respective providers.
6 RECIPIENTS OF PERSONAL DATA
6.1 Data Transfers to Group Companies
As part of Valos Group’s commitment to seamless service delivery and operational efficiency, we may share your personal data with other entities within our group where appropriate and lawful. This ensures that we can provide consistent and high-quality service across all areas of our business.
Access to your personal data is strictly limited to employees or teams that require it to meet contractual, legal, or operational obligations. We uphold rigorous security standards and ensure that data is handled with the highest level of confidentiality.
Where a group entity processes data on our behalf, we enforce stringent contractual measures to ensure compliance with applicable data protection laws and to safeguard the confidentiality and integrity of your personal information.
6.2 Data Transfers to Third Parties
We may share personal data with third-party service providers to support the processing activities described in this Privacy Notice and to help us provide our services. The personal data disclosed to these partners vary based on the type of service you use and is limited to what is necessary for the intended purpose.
We categorize our partners as either data processors or data controllers, depending on their role in handling your data:
Data processors: These are third parties that process personal data on our behalf, strictly according to our instructions, and solely for the specific purposes outlined in this Privacy Notice. Examples include:
(a) Email service providers: Supporting customer communication, notifications, and service updates.
(b) Cloud computing and storage services: Securely storing data and ensuring the platform's availability and scalability.
(c) Sales and customer relationship management (CRM) Services: Managing customer data to optimize interactions and improve service delivery.
(d) Identity verification services: Performing KYC checks and AML compliance for user identification.
(e) Online form building and survey services: Collecting customer feedback and user data to enhance platform features and services.
(f) Messaging apps for internal communication: Facilitating internal team communication and document management in a secure environment.
Data controllers: In specific instances, we may share personal data with partners who act as data controllers, determining their own data processing purposes. This typically includes, for example:
(a) Banks, payment service providers, and crypto-asset service providers: Handling transactions, payment processing, and asset transfers as required by financial regulations such as the Transfer of Funds Regulation (EU) 2023/1113 (“TFR”).
(b) External advisors: Such as lawyers, auditors, and financial consultants, who process data independently in order to provide professional advice or comply with their regulatory and legal obligations.
Personal data may also be disclosed to authorities (such as courts or law enforcement) or other third parties to detect and investigate unlawful activities, respond to legal proceedings, or comply with legal requirements.
6.3 Transfers of Personal Data Outside the EU/EEA
The Company primarily stores personal data within the EU/EEA. However, due to the global nature of our platform, some data processing may occur in countries outside the EU/EEA when we engage third-party service providers.
To ensure your data remains protected, we use recognized safeguards such as:
(a) Standard contractual clauses (SCCs) to ensure data transfers meet EU standards.
(b) Adequacy decisions for countries deemed to have adequate data protection by the European Commission.
(c) Additional measures like data access controls and regular audits to maintain compliance with data protection laws.
These steps help ensure that your personal data is safeguarded even when processed internationally.
7 PROTECTION AND STORAGE OF PERSONAL DATA
We are committed to safeguarding your personal data by implementing security measures designed to protect its confidentiality, integrity, and availability. Access to personal data is restricted to authorized personnel based on their job responsibilities, and we maintain strict controls to prevent unauthorized access, use, or disclosure.
To ensure data protection, we regularly review our security practices and update them as needed to address emerging risks and threats. All employees and partners involved in processing your personal data are bound by confidentiality obligations.
Our data retention practices are guided by the following principles:
(a) Data retention during customer relationship: Personal data is stored and processed for the duration of your customer relationship to deliver our services and meet contractual obligations.
(b) Regulatory data retention requirements: Data that must be retained for compliance with legal obligations, such as Know Your Customer (KYC) information, is kept for up to five years after the end of your relationship with us, in line with regulatory requirements.
(c) Data minimization and deletion: Personal data that is no longer necessary for the specified purposes will be securely deleted or anonymized in accordance with GDPR’s data minimization principles.
We regularly review our data storage practices to ensure that outdated, incompatible, or inaccurate personal data is promptly corrected or erased. These measures help us ensure that we only keep data for as long as necessary to meet our legal, contractual, and service-related obligations.
8 YOUR RIGHTS AS A DATA SUBJECT
8.1 Categories of Rights
As a data subject, you have the following rights:
(a) Right to Access (Art. 15 of GDPR): You can request access to the personal data we store about you.
(b) Right to Rectification (Art. 16 of GDPR): You can request the correction of inaccurate or outdated data. In some cases, you may be able to update your information yourself.
(c) Right to be Forgotten / Erasure (Art. 17 GDPR): You may request the deletion of your personal data, subject to certain legal or regulatory obligations that may require its retention.
(d) Right to Lodge a Complaint (Art. 77 GDPR): If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, work, or where the alleged infringement occurred.
Additionally, under certain conditions, you may have the following rights:
(e) Right to Restriction of Processing (Art. 18 GDPR): If you contest the accuracy of your personal data or if other conditions listed in Art. 18 GDPR are met, you can request the restriction of the processing of your personal data while your requests are being investigated and resolved.
(f) Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and, where technically feasible, to request its transfer to another controller when the processing is based on your consent or a contract and is carried out by automated means.
(g) Right to Object (Art. 21 GDPR): When processing is based on our legitimate interests under Art. 6(1)(f) GDPR, you have the right to object to the processing of your personal data on grounds relating to your particular situation.
(h) Right to Withdraw Consent (Art. 7(3) GDPR): You can withdraw your consent at any time, and we will stop processing your personal data based on that consent. This does not affect the lawfulness of processing carried out before your withdrawal.
8.2 Exercising Your Rights
All requests concerning your rights should be made in writing to the contacts mentioned in Section 1 of this Privacy Notice. Your request should include your name and contact details. We may ask for additional information to verify your identity; this information will not be used for any other purpose and will be deleted after verification.
We may charge a reasonable administrative fee for additional copies of your data. If you submit a request electronically and do not specify another delivery method, the information will be provided in a commonly used electronic format, provided it can be delivered securely.
We will respond to your requests within one month. If your request is complex or numerous, we may extend this period by an additional two months. In such cases, we will inform you within one month of receiving your request and explain why the extension is necessary.
9 UPDATES TO THIS DOCUMENT
We may update this Privacy Notice periodically to reflect changes in our practices, legal or regulatory requirements, or for other operational reasons. Any significant changes will be communicated to you in an appropriate manner, such as through a notice on our website or via email.
The “Last updated” date at the top of this Privacy Notice indicates when the latest changes were made. We encourage you to review this Privacy Notice regularly to stay informed about how we are protecting your information. If you continue to use our services after the updated Privacy Notice becomes effective, your use will be considered as acceptance of the changes.
10 COMMITMENT TO DATA PROTECTION
We are dedicated to protecting your personal data and maintaining transparency about how we process it. Your trust is important to us, and we strive to handle your personal data with the highest standards of security and confidentiality.
If you have any questions or concerns regarding this Privacy Notice or our data processing practices, please do not hesitate to contact us as outlined in Section 1 of this Privacy Notice.
Thank you for trusting us with your personal data.