1. General terms
2. Processing of personal data
2.1. Collection of personal data Personal Data is collected from the User directly and from the User's use of the Services, as well as indirectly from external sources such as public and private registers or other providers of databases or other persons (see Section 6). Salto X may record phone calls, visual images, video and/or audio, save e-mail communication or otherwise document the User's interaction and communication with Salto X.
Salto X primarily collects from and processes personal data about Users. Salto X also collects from and processes personal data of such natural persons as:
- legal representatives, authorised persons, contact persons, transaction partners, agents, payers, heirs;
- who are connected to the User - legal persons, for example: shareholders, board members, corporate representatives, signatories, ultimate beneficial owners.
- 2.2. Categories of personal data
- 2.2.1. identification data such as - the User's first name and surname, middle name, gender, date of birth, place of birth, personal identity number, place of tax residence, tax ID;
- 2.2.2. contact data such as - the User's residence address or address for communication purposes, postal address, country of residence, email address and phone number, language of communication;
- 2.2.3. financial data such as - bank account, digital wallet address;
- 2.2.4. occupation (employment) data such as - data about employer, occupation, position grade, area of work, working experience; correspondence records such as - the User's communication with Salto X through the Salto X Platform via live chat, via email and/or by phone, or other tools which could be introduced, as well as information from surveys and polls (type, date, tracking ID);
- 2.2.5. location data such as - IP address, login place, transaction place;
- 2.2.6. other data - voice and / or video recording data such as phone voice recordings.
Salto X does not process sensitive data related to the User's health, ethnicity, religious or political beliefs unless required by law or in specific circumstances where, for example, the User reveals such data while using the Services.
4. Legal basis and purpose of processing personal data
4.1. Performance of agreements
For Salto X to provide Services it shall gather certain information about Users. In such cases the main purpose of the processing of the User's data by Salto X is to document, execute and administer agreements with the User.
- to take steps at the request of the User prior to entering into an agreement, as well as to conclude, execute, maintain and terminate an agreement with the User.
- to execute national and international transactions via financial institutions, settlement and payment systems, digital wallets.
- to manage relations with the Users, as well to authorise, provide, control and administer access to the Services. oice recordings.
4.2. Compliance with legal obligations
For Salto X to comply with the legal obligations under applicable legislation, Salto X is required to process the User's data in accordance with regulatory legislation and data protection legislation.
Examples of purposes for processing are:
- before the User may use the Services on the Salto X Platform and during the cooperation with the User under the Agreement, Salto X performs the due diligence of the User, to verify the User's identity and to keep the User's data updated and correct by verifying and enriching data through external and internal registers;
- to prevent, discover, investigate and report money laundering, terrorist financing;
- to comply with rules and regulations related to accounting, tax information exchange and risk management.
4.3. Legitimate interest
Some purposes of the User's personal data processing are based on Salto X legitimate interests which are balanced against the User's as a data subject's interests and rights.
Examples of such purposes of processing are:
- to provide the User additional Services, create offers and direct marketing activities through different channels;
- to develop, examine and improve Salto X business, the Services, the User experience, to strengthen User satisfaction and loyalty, as well to strengthen Salto X brand, to perform surveys, analyses, statistics;
- to organise lotteries, competitions, campaigns and events for the Users;
- to protect the interests of the User and/or Salto X and Salto X employees, including security measures;
- to prevent, limit and investigate any misuse or unlawful use or disturbance of the Services, including fraud prevention;
- to ensure adequate provision of the Services and the safety of information within the Services, as well as to improve, develop and maintain Salto X website, technical systems and IT-infrastructure, including testing Salto X digital environment;
- to record phone calls and video streams with the Users for Service quality assurance and claims processing purposes;
- to provide payment initiation and/or account information service to the Client.
In some cases, Salto X will ask for the User's consent to process personal data. In those cases, the User will be separately informed about the particular purpose of processing. In case the User submits sensitive data or data not requested by Salto X on its own initiative, processing will take place based on the Client's explicit consent. The Client can withdraw a given consent at any time.
5. Profiling and automated decision making
Profiling is any form of automated processing of personal data used to assess certain personal characteristics of the User in particular to analyse or predict, for example, the economic situation, personal preferences, interests, place of residence. Profiling is used, for example, to make analysis based on performance of agreements and for marketing activities and service development based on Salto X legitimate interest or the User's consent. Salto X may make automated decisions in such processes as risk management and transaction monitoring to counter fraud in compliance with the regulatory legislation in areas of anti-money laundering, terrorism and proliferation financing.
6. Transfer of personal data to third parties
As part of Salto X processing, Salto X may share the User data with recipients such as authorities, Salto X group companies, suppliers, payment service providers and business partners. Salto X will not disclose more of the User's personal data than is necessary for the purpose of disclosure and with respect to regulatory legislation and the data protection legislation. Recipients may process the User personal data acting as data processors and/or as data controllers. When a recipient is processing the User's personal data on its own behalf as a data controller, the recipient is responsible for providing information on such processing of the User's personal data. Salto X undertakes to guarantee appropriate technical and organisational security measures to ensure that the personal data processor upholds security standards that are not lower than the security standards set by Salto X.
Salto X discloses personal data to recipients such as:
authorities, such as law enforcement agencies, bailiffs, notaries, tax authorities, supervisory authorities and Financial Intelligence Unit and any other authorised person, including administrators, which are involved in any restructuring process of the Companies;
third party, who is taking debt collection steps to recover debt from the User (such as debt collectors, lawyers, court bailiffs, insolvency administrators, etc.),
to the parent company of Salto X, its governing enterprise and any enterprises dependent on the governing enterprise, other companies or enterprises, which directly or indirectly have obtained a significant share in the share capital of Salto X or in which Salto X has obtained direct or indirect participation, insofar as such information is necessary for the performance of functions delegated to them;
credit and financial institutions, correspondent banks, custodian banks, insurance providers and intermediaries of services, third parties participating in the trade execution, settlement and reporting cycle; financial and legal consultants, auditors or any other data processors of Salto X, insofar as such information is necessary for the performance of functions delegated to them;
providers of databases and registers, e.g. to population registers, commercial registers, securities registers, or other register holding or intermediating the User's data, debt collectors and bankruptcy, bailiffs, notaries or insolvency administrators; participants and/or parties related to domestic, European and international payments;
persons and suppliers related to provision of the Services of Salto X, such as providers of IT, telecommunications, payment intermediaries, credit institutions, hosting, archiving, postal services, etc.
Please be informed that the User data may be requested by the state authorities located in the countries where Salto X offers its services, including countries outside the EU/ EEA. In all such cases Salto X evaluates the request and assesses whether the provided reasoning for the disclosure of the User's data is substantiated, the requested data amount is proportional and whether the correct channels have been used to request the disclosure of the User's data. Unless prohibited by law, Salto X will inform the User about receiving a request to disclose the particular User's data.
7. Geographical area of processing
As a general rule, User's personal data is processed within the European Union/ European Economic Area (referred to as “EU/ EEA”) but in some cases transferred to and processed in countries outside of the EU/EEA.
The transfer and processing of personal data outside of the EU/EEA can take place provided there is a legal basis and one of the following conditions:
the country outside the EU/EEA, where the recipient is located, has an adequate level of data protection as decided by the EU Commission;
the controller or processor has provided appropriate safeguards, for example, the EU Standard Contractual Clauses or other authorised contractual clauses, approved codes of conduct or certification mechanisms; there are derogations for specific situations applicable, for example, the User's explicit consent, performance of a contract with the User, conclusion or performance of a contract concluded in the interest of the User, establishment, exercise or defence of legal claims, important reasons of public interest. Upon request, the User can receive further details on his/ her data transfers to countries outside the EU/EEA.
8. Retention period
Personal data will be retained for no longer than is necessary for the particular purpose of processing for which the data is collected, or which is stipulated in the regulatory legislation.
Personal data will be processed by Salto X as long as the contractual relationship with the User exists.
In cases when the processing of personal data takes place based on the User's consent, the personal data will be retained as long as the consent is valid.
Other retention periods may be established and applicable when the personal data is processed for purposes based on Salto X legitimate interest, for example, for the establishment, exercise or defence of legal claims, for a maximum period of limitation according to the regulatory legislation.
In all cases, Salto X limits the processing of personal data to a minimum.
9. Rights of data subject
Salto X respects User's rights to access, manage and control the personal data that Salto X processes. Once Salto X receives a request from the User's to exercise any of the rights listed below, Salto X will review the User's request and provide a response without undue delay and in any event within one month of receipt of the request.
According to the data protection legislation this time period may be extended if the User's request is complex or if due to the amount of received requests Salto X cannot prepare a reply within the previously set time limit. In this case Salto X informs the User about the extension of the time limit for preparing a reply to the User's request and indicates the specific term for preparing a reply.
Should the User wish to exercise any of the rights listed below, the User can do so by submitting a request in one of the following ways:
9.1. by sending an electronic request to: firstname.lastname@example.org; 9.2. by sending a signed request to: Estonia, Tallinn, Vana-Kalamaja 45-14, 10415.
Salto X reserves the right to request additional information from the User in order to verify the identity of the person, who has sent the request, and to protect the User's data from being disclosed to unauthorised persons, as well as to request signed request with secure e-signature or with handwritten signature for verification and security purposes. If the User or Salto X has terminated the Agreement and is not able to identify data subject via User's Account, Salto X has the right to request identification of the person before any personal data disclosure, based on such request.
The User has the right to access the personal data free of charge. However, if the User's requests are manifestly unfounded or excessive, Salto X retains the right to charge a reasonable fee or to refuse to act on the request.
Below is a summary of User's specific rights:
- receive confirmation if the User's personal data is being processed by Salto X and, if so, then to access it;
- require the User's personal data to be corrected if it is inadequate, incomplete or incorrect;
- require the erasure of the User's personal data;
- restrict the processing of the User's personal data;
- object to processing of the User's personal data if processing is based on Salto X legitimate interests;
- object to processing of the User's personal data for direct marketing;
- receive the personal data that is provided by the User and is being processed based on consent or performance of an agreement in a structured, commonly used electronic format and, where feasible, transmit such data to another service provider (right to data portability);
- withdraw the consent to process the User's personal data;
- request not to be subject to a fully automated decision-making, including profiling, if such decision-making has legal effects or similarly significantly affects the User. This right does not apply if the decision-making is necessary in order to enter into or to perform an agreement with the User, if the decision-making is permitted under the data protection legislation or if the User has provided an explicit consent.
If the User considers that the processing of the User's personal data infringes the User's rights and interests under the data protection legislation, the User can lodge a complaint. The complaint can be lodged with a supervisory authority (Estonian Data Protection Inspectorate - https://www.aki.ee/en) or with a supervisory authority in the EU Member State of the User's habitual residence or place of work.
Original version: 14.02.2022.