1. General terms
2. Categories of User’s personal data
XPS LTD processes several categories of User’s personal data, including, User’s identification data, data obtained in the process of due diligence, contact information, User’s transaction data within the Platform, communication data, cookie data and other information provided by the User or obtained from Third Persons during the due diligence process.
XPS LTD processes the following categories of User’s personal data:
- User’s data, including, but not limited to, the User’s first name and surname, gender, date of birth, place of birth, personal identity number, tax ID, investor’s ID number, information form identity document, copy of an identity document, photograph, User’s bank account information, position grade, area of work, preferred language;
- Due diligence data, including, but not limited to, origin of funds, information on the purpose and intended nature of the business relationship, information gained from risk assessment-based activities;
- Contact Information, including the User’s address, country of residence, e-mail address and phone number, IP address;
- Transaction data, including the User’s invested funds, investments, transactions, incoming payments, claimed disbursements of money, information regarding the concluded assignment agreements, net annual return, selected currency, available funds, accountancy accounts;
- Communication data, including the User’s communication with XPS LTD through the Platform via live chat, via email and/or by phone, or other tools which could be introduced, as well as information from surveys and polls;
- Other information the User has delivered to XPS LTD, or which XPS LTD has collected at our own initiative from the sources permitted by law (including via media and internet).
3. Purposes of processing personal data
Please be informed that if the User fails to provide the personal data when processing of such data is necessary to enter into and fulfil the Agreement or required by statute, XPS LTD cannot provide the Services.
3.2. Providing Services to the User
Upon submission of the Registration Application and registration with the Platform, personal data of the User is used to enter into and fulfil the Agreement, which includes, but is not limited to, identifying the User, creating the Virtual Account to be used as a means to receive the Services, and providing the Services. This means that the sub-purposes specified below and the subsequent data processing is intertwined, and one purpose cannot be reached without reaching the other purposes.
3.2.1. Identifying the User and concluding the Agreement
This data is necessary to verify the User’s identity, conclude and fulfil the Agreement, communicate with the User regarding the conclusion and fulfilment of the Agreement, validate the email provided by the User. The personal data processing is based on the conclusion and fulfilment of the Agreement and compliance with such legitimate interests of XPS LTD as informing the User about the activity in the Virtual Account and protection of its rights and interests in case of a dispute as well as to comply with the statutory obligation to keep information on business activities conducted and to carry out due diligence as per applicable law.
3.2.2. Creating and maintaining the Virtual Account
In order to create and maintain the Virtual Account, the User’s data, Contact Information, Transaction data and Communication data is used. Additionally, such data as the User’s password is processed as well, however, nor XPS LTD, nor our cooperation partners have access to the User’s password.
This data is necessary to provide log in options in the Platform, to communicate with the User in case of any inquiries and to ensure a means by which the User can receive the Services. The personal data processing is based on the conclusion and fulfilment of the Agreement and compliance with such legitimate interests of XPS LTD as maintenance of the Virtual Account, informing the User about the activity in the Virtual Account and protection of its rights and interests in case of a dispute.
XPS LTD provides the User with the opportunity to opt-out from receiving certain notices in connection with the Services, such as daily summaries and notices about deposits. The User can choose which notices to receive in the Virtual Account.
3.2.3. Providing Services
In order to provide Services as per the Agreement, the User’s data, Contact Information and Transaction data is used. Other types of User’s personal data obtained from the User or created during the process of provision of Services can be processed as well, if necessary.
This data is necessary to ensure money deposits and withdraws, send daily summaries and notices about cash deposits, to provide any related services arising from Agreement, as well as prevent fraud and abuse of Services. The personal data processing is based on the conclusion and fulfilment of the Agreement and compliance with such legitimate interests of XPS LTD as informing the User about the activity in the Virtual Account and protection of its rights and interests in case of a dispute.
3.2.4. Sending verification reminders
In order to provide Services and take steps prior to conclusion of the Agreement, XPS LTD can send verification reminders to Users, who have not completed the verification process. XPS LTD may send reminders in the following time intervals – 24 hours, 3 (three) days, 7 (seven) days, 30 (thirty) days, 60 (sixty) days after the registration process has been initiated. 3.3. Enforcement of statutory obligations
In order to fulfil the statutory obligations in the fields of accountancy and anti-money laundering and terrorist financing prevention, XPS LTD processes the User’s data, Due diligence data, Communication Data, Contact Information and information specified by the User in the User’s questionnaire in accordance with the provisions of the laws and regulations of the Republic of Latvia and the internal control system of XPS LTD.
3.3.1. Due diligence
As per the applicable laws and regulations XPS LTD performs the due diligence of the User, which includes, but is not limited to, to identifying the User and verification of the User’s identity document and processing the Due diligence data, including the origin of the Users funds. As the due diligence and identification of the User is carried out remotely, XPS LTD has stricter obligations in relation to Users due diligence and a third-party verification portal is used for identification.
Identification of the User and verification of the Users identification document is carried out via a third-party verification portal, which processes the Users data and the Due diligence data. During this process, the User submits a photo and/or video of the Users face and identification document to the verification portal using the specially designed system of the third-party verification portal.
This data processing is based on the necessity to conclude and perform the Agreement and to comply with the legal obligations of XPS LTD in the field of anti-money laundering and terrorist financing prevention.
3.4. Sending of informational materials
Upon applying for receipt of informational materials, including, promo materials, the User agrees that User’s data, Contact Information, and certain Transaction data (funds invested and incoming payments) is used to prepare an appropriate commercial communication for the User based on the User’s data available to XPS LTD, using profiling, and to segment the User into a certain category. The User can withdraw consent for receipt of informational materials (such as newsletters, new product offers etc) at any time.
Informational materials include any and all communication from XPS LTD that is not connected to providing Services, the fulfilment of the Agreement or other essential information (such as a notice that the term of the provided personal identity number will expire).
XPS LTD uses profiling, i.e., automatic means for processing personal data, which allows XPS LTD to assess the Users interests, to determine which Services are most suitable for the User, to analyse the User’s activity and to segment the User into a certain category.
XPS LTD processes User’s personal data until the User withdraws the consent to receive informational materials or, in some cases, when the necessity to keep evidence that consent has been received is no longer in force. Withdrawing consent for receiving informational materials does not affect the consent given to process information obtained through cookies.
3.5. Service quality control
On the basis of the legitimate interest of XPS LTD to improve the quality of the Services, XPS LTD, within the aim to evaluate and control the quality of the Services, processes at least the Communication data when communicating with the User, for example, when conducting surveys and polls or resolving any issues in relation to the Services.
3.6. Compilation of statistical data
On the basis of the legitimate interest of XPS LTD to compile statistical data regarding the Services used by the Users, to improve the Service quality and to develop Services, XPS LTD, with the aim to analyze information related to the provision of the Services, processes summarized and anonymized information regarding the User’s data, Contact Information and Transaction data.
4. Manners of information collection
To ensure the provision of information and Services, as well as to fulfil the obligations under applicable law, XPS LTD collects information about the User in the following ways:
4.1. Directly from you as User or potential User:
4.1.1. Providing an opportunity to fill an application form on Platform;
4.1.2. By means of online communication by phone, e-mail, chat or other communication channels and/or technical tools;
4.2. In an automated way from you as User or potential User:
4.2.1. Technical information that may contain your IP address, device data, software data and similar data;
4.2.2. Social network information and content that may contain identification and social account data;
4.2.3. Cookies (for more information, please see the Cookies policy);
4.3. About you as the User from third parties:
4.3.1. Publicly available resources (social network, public registers);
4.3.2. Spark and Acuity databases;
4.3.3. Our cooperation partners and affiliated companies.
5. Transfer of information to third parties
XPS LTD and our cooperation partners mainly process the User’s personal data within the European Economic Area (hereinafter – EEA).
The User’s data is processed by XPS LTD and our cooperation partners that provide servers, IT, accounting, communication, email validation, bank, CRM, intermediary services that facilitate integration with other services and/or other subjects as stipulated in Clause 13.3. of the Agreement.
In accordance with Clause 13.3. of the Agreement XPS LTD has a right to disclose the User’s data to the entities specified below:
- to any person related to the fulfilment of commitments arising to XPS LTD from the Agreement (including to communications service providers, payment intermediaries, credit institutions, IT service providers, marketing service providers etc.);
- to the parent company of XPS LTD, its governing enterprise and any enterprises dependent on the governing enterprise, other companies or enterprises, which directly or indirectly have obtained a significant share in the share capital of XPS LTD or in which XPS LTD has obtained direct or indirect participation, insofar as such information is necessary for the performance of functions delegated to them;
- to outsourced service providers that XPS LTD has engaged in the provision of services arising from the Agreement, insofar as such information is necessary for the performance of functions delegated to them;
- to personal data processors, the supervisor whereof is XPS LTD, insofar as such information is necessary for the performance of functions delegated to them;
- upon handing over (transferring) a Claim to third parties;
- to a third party, who is taking debt collection steps to recover debt from the User (such as debt collectors, lawyers, court bailiffs, insolvency administrators, etc.);
- to XPS LTD legal, accounting, or auditing service providers, ensuring that the said persons have undertaken not to divulge such information;
- for the needs of statistics and any other research;
- in the course of legal research, as well as in case of sale of an enterprise;
- in the case provided for in regulatory enactments.
In the cases specified by law, XPS LTD is obligated to disclose the User’s personal data to state authorities.
XPS LTD does not disclose any personal data to state authorities or third parties without a legal basis. When delegating certain functions of XPS LTD to personal data processors, XPS LTD undertakes to guarantee appropriate technical and organisational security measures to ensure that the personal data processor upholds security standards that are not lower than the security standards set by XPS LTD.
In the cases specified by law, XPS LTD is obligated to disclose the User’s personal data to state authorities. However, XPS LTD does not disclose any personal data to state authorities or third parties without a legal basis. Please be informed that the User data may be requested by the state authorities located in the countries where XPS LTD offers its services, including countries outside the EEA. In all such cases XPS LTD evaluates the request and assesses whether the provided reasoning for the disclosure of User’s data is substantiated, the requested data amount is proportional and whether the correct channels have been used to request the disclosure of a User’s data. Unless prohibited by law, XPS LTD will inform the User about receiving a request to disclose the particular User’s data.
6. Receipt of information from third parties
As stated before, XPS LTD can and under certain circumstances has the obligation to obtain information about the User from third parties for reasons related to Service provision (for example, to verify Users email or to ensure proper payments), customer due diligence, legal obligations of XPS LTD in the field of anti-money laundering and terrorist financing prevention. XPS LTD can obtain or receive information about the User from payment institutions, public and private databases, social networks, and other sources.
For the aforementioned purposes, we can request and obtain:
- Information by searching for information about you, about your financial standing, credit standing, past and present liabilities and indebtedness, employment, as well as other necessary information in other publicly available sources;
- information from financial and payment institutions, including banks;
- information from companies within our group;
- information from our cooperation partners regarding the provision of payments, technical support or services;
- information in any other case, where you have given us the consent or there exists any other legal basis.
In order to ensure that our content, services and messages are consistent with you and similar to your target audience, we may collect information from you and about you to evaluate your potential areas of interest.
If information received from you or about you does not identify you as a natural person and/or is used in an anonymised or otherwise unidentifiable manner, we may use it for any purposes other than those previously mentioned, including transfer to third parties.
7. Where and how we store your information
The data that we collect from you will be transferred to and stored at a destination inside the EEA. All information you provide to XPS LTD is stored securely on our servers or servers of our partners. The information is encrypted.
Unfortunately, the transmission of information via the internet is not completely secure. Even though we will do our best to protect your personal data, we cannot fully guarantee the security of your data transmitted to us; therefore, transmission is at your own risk. Once we have received your information, we will use procedures and security features to try to prevent unauthorised access.
The access to your personal information within XPS LTD is limited to those employees who have a good business reason to access or know this information. This is achieved through both technical solutions and physical access rights, as well as proper training and education of our employees who have built appropriate safeguards.
8. Length of retention of information
All User related information, including information that is stored in the Virtual Account and all communications with XPS LTD, is stored as evidence confirming the identity of the User, conclusion of the Agreement, transactions made and fulfilment of the Agreement and is kept until the fulfilment of the Agreement, the data is no longer necessary to provide Services, the data storage timeframe or limitation period for legal proceedings established by the laws and regulations of the Republic of Latvia expires, whichever occurs later. Below is a summary of some key considerations how long each category of information is kept.
For accounting purposes, XPS LTD stores the User’s personal data in connection with the concluded and fulfilled Agreement for no less than 5 years after the conclusion of the Agreement.
For anti-money laundering and terrorist financing prevention purposes XPS LTD stores the User’s data in connection with verifying the identity of the User and the origin of the funds (including a copy of an identity document and all Communication data in relation to this) for 5 years after the conclusion of the Agreement.
The limitation period for legal proceedings is 10 years in accordance with the Civil law of the Republic of Latvia. Due to the fact that Transaction data is interconnected with the provision of Services, there may be situations where the Transaction data is stored for a longer period of time in order to provide services to other users.
The Communication data is retained for at least 1 (one) month up to 3 (three) years, depending on whether the Communication data contains relevant information regarding the performance of the Agreement or the provision of Services (for example, the provisions of the Agreement are changed, or the Customer submits a complaint about the quality of Services).
9. Your rights related to personal information
XPS LTD respects the User’s rights to access, manage and control the personal data that XPS LTD processes. Once XPS LTD receives a User’s request to exercise any of the rights listed below, XPS LTD will review the User’s request and provide a response without undue delay and in any event within one month of receipt of the request. This time period may be extended if the User’s request is complex or if due to the amount of received requests XPS LTD cannot prepare a reply within the previously set time limit. In this case XPS LTD informs the User about the extension of the time limit for preparing a reply to the User’s request and indicates the specific term for preparing a reply.
Should the User wish to exercise any of the rights listed below, the User can do so by submitting a request in one of the following ways:
- by sending an electronic request to email@example.com;
- by sending a signed request to Tedham House 117 Bedford Road, Cranfield, Bedford, Beds, MK43 0HD
An authorised person can submit a request on behalf of the User, provided that a valid power of attorney is enclosed with the request.
XPS LTD reserves the right to request additional information from the User in order to verify the identity of the person, who has sent the request, and to protect the User’s data from being disclosed to unauthorised persons.
The User has the right to access the personal data free of charge. However, if the User’s requests are manifestly unfounded or excessive, XPS LTD retains the right to charge a reasonable fee or to refuse to act on the request.
Below is a summary of User’s specific rights.
9.1. Right of access
The User is entitled to receive information on whether or not XPS LTD processes the User’s personal data, and, if XPS LTD processes said personal data, request a copy of the User’s personal data undergoing processing.
The User has the right to obtain the following information:
- purposes of the processing;
- categories of personal data being processed;
- personal data recipients or categories of such recipients;
- length of time the data will be stored (or criteria for determining the period);
- User’s rights in connection to the data processing;
- available information on the data source (if the personal data was not obtained from the User);
- existence of automated decision-making.
9.2. Right to rectification, to the extent possible
The User is entitled to request XPS LTD to rectify the User’s inaccurate or incorrect personal data. XPS LTD also provides the User with the option to rectify data in the Virtual Account, however not all data may be rectified through this channel. We will need to verify that the amended data is true and accurate.
9.3. Right to erasure, to the extent possible
The User is entitled to request XPS LTD to erase the User’s data. This right can be exercised if one of the following grounds applies:
- purposes of the processing have been reached;
- personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- User withdraws the given consent;
- User objects to the processing;
- personal data has been unlawfully processed;
- personal data has to be erased for compliance with a legal obligation.
XPS LTD reserves the right to reject the request to erase the User’s personal data if there is a legitimate legal ground for doing so, for example, to comply with a legal obligation which requires processing, to establish, exercise or defend legal claims, or for statistical purposes, providing appropriate technical and organisational security measures.
9.4. Right to the restriction of processing
The User is entitled to request XPS LTD to restrict processing if one of the following grounds applies:
- User contests the accuracy of the personal data, for a period that enables XPS LTD to verify the accuracy of the personal data;
- processing is unlawful, and the User requests restriction opposed to the erasure of the personal data;
- XPS LTD no longer needs the User’s personal data, but the personal data is necessary for the User to establish, exercise or defend legal claims;
- User has objected to processing pending the verification whether the legitimate grounds for processing of XPS LTD override those of the User.
Upon restricting the processing of the User’s personal data, XPS LTD will only process the User’s personal data after receiving consent from the User, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. This does not apply to storing personal data.
9.5. Right to object to the processing of personal data
The User is entitled to object to the personal data processing activities concerning direct marketing or which are based on XPS LTD legitimate interests but given the basis of the User’s particular situation they want to object to processing on this ground.
9.6. Right to data portability, to the extent possible
The User is entitled to request XPS LTD to receive and transfer the User’s personal data to the User or another data controller. The User can exercise this right insofar as the data has been provided by the User based on consent or a contract and the processing is carried out by automated means.
This right also applies to raw data that has been provided by the User, relates to the User’s activities or result from observation of the User, for example, activity logs, history of website usage. However, this does not apply to data that XPS LTD creates, for example, User profiles created by analysing the raw data, risk assessments to comply with anti-money laundering rules.
9.7. Right to withdraw consent
The User is entitled to withdraw previously given consent at any time via the Virtual Account. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. This right applies to receiving commercial notices and overviews from XPS LTD.
9.8. Right to submit a complaint to the national personal data protection authority
In case of any uncertainty related to your personal data, you are welcome to contact XPS LTD and we will seek to provide you with an answer or find a solution to your issue. However, if you believe we cannot find the solution, the User is entitled to submit a complaint to the national personal data protection authority regarding data processing activities conducted by XPS LTD.
9.9. Right to contact XPS LTD and obtain additional information on the processing of personal data.
The User is entitled to contact XPS LTD at any time and obtain additional information regarding processing activities.