Effective as of 25.09.2023
1. General terms
"Personal Data" refers to any information that directly or indirectly can identify a living natural person, such as name, address, contact details, identification numbers, online identifiers, etc.
2. Processing of the Personal Data
2.1 Collection of the Personal Data
Personal Data is collected from the User directly and from the User's use of the Services, as well as indirectly from external sources and third parties such as public and private registers or other providers of databases or other persons (see Section 6). Salto X may record phone calls, visual images, video, and/or audio, save e-mail communication, or otherwise document the User's interaction and communication with Salto X. Salto X primarily collects from and processes the Personal Data about the Users. Salto X also collects from and processes the Personal Data of such natural persons as:
legal representatives, authorised persons, contact persons, transaction partners, registrants, agents, payers, heirs;
who are connected to the Company, for example, shareholders, board members, corporate representatives, signatories, and ultimate beneficial owners.
2.2 Categories of the Personal Data
Salto X processes several categories of Personal Data from the Users and other third parties:
2.2.1. identification data such as - the User's first name and surname, middle name, gender, date of birth, place of birth, personal identity number, place of tax residence, tax ID;
2.2.2. contact data such as - the User's residence address or address for communication purposes, postal address, country of residence, email address and phone number, the language of communication;
2.2.3. financial data such as - bank account;
2.2.4. occupation (employment) data such as - data about employer, occupation, position grade, area of work, and working experience;
2.2.5. correspondence records such as - the User's communication with Salto X through the Salto X Platform via live chat, via email and/or by phone, or other tools which could be introduced, as well as information from surveys and polls (type, date, tracking ID);
2.2.6. location data such as - IP address, login place, and transaction place;
2.2.7. other data - voice and/or video recording data such as phone voice recordings.
Salto X does not process sensitive data related to the User's health, ethnicity, religious or political beliefs unless required by law or in specific circumstances where, for example, the User reveals such data while using the Services.
4. Legal basis and purpose of processing the Personal Data
4.1. Performance of agreements
For Salto X to provide the Services it shall gather certain information about Users. In such cases, the main purpose of the processing of the User's data by Salto X is to document, execute and administer agreements with the User.
Examples of such purposes of processing are:
to take steps at the request of the User prior to entering into an agreement, as well as to conclude, execute, maintain, and terminate an agreement with the User.
to execute national and international transactions via financial institutions, settlement, and payment systems.
to manage relations with the Users, as well as to authorise, provide, control, and administer access to the Services.
4.2. Compliance with legal obligations
For Salto X to comply with the legal obligations under applicable legislation, Salto X is required to process the User's Personal Data in accordance with regulatory legislation and data protection legislation.
Examples of such purposes of processing are:
before the User may use the Services on the Salto X Platform and during the cooperation with the User under the Agreement, Salto X performs the due diligence of the User, to verify the User's identity and to keep the User's data updated and correct by verifying and enriching data through external and internal registers;
to prevent, discover, investigate, and report money laundering, and terrorist financing;
to comply with rules and regulations related to accounting, tax information exchange, and risk management.
4.3. Legitimate interest
Some purposes of the User's Personal Data processing are based on Salto X legitimate interests balanced against the User's as a data subject's interests and rights.
Examples of such purposes of processing are:
to provide the User with additional Services, create offers, and direct marketing activities through different channels;
to develop, examine and improve Salto X business, the Services, and the User experience, to strengthen User’s satisfaction and loyalty, as well to strengthen Salto X brand, to perform surveys, analyses, and statistics;
to organise lotteries, competitions, campaigns, and events for the Users;
to protect the interests of the User and/or Salto X and Salto X employees, including security measures;
to prevent, limit, and investigate any misuse or unlawful use or disturbance of the Services, including fraud prevention;
to ensure adequate provision of the Services and the safety of information within the Services, as well as to improve, develop and maintain Salto X website, technical systems and IT infrastructure, including testing Salto X digital environment;
to record phone calls and video streams with the Users for Service quality assurance and claims processing purposes;
to provide payment initiation and/or account information service to the User.
In some cases, Salto X will ask for the User's consent to process Personal Data. In those cases, the User will be separately informed about the particular purpose of processing. If the User submits sensitive data or data not requested by Salto X on its own initiative, processing will occur based on the User's explicit consent. The User can withdraw given consent at any time.
5. Profiling and automated decision making
Profiling is any form of automated processing of Personal Data used to assess certain personal characteristics of the User, in particular, to analyse or predict, for example, the economic situation, personal preferences, interests, and place of residence. Profiling is used, for example, to make analysis based on the performance of agreements and for marketing activities and service development based on Salto X legitimate interest or the User's consent. Salto X may make automated decisions in such processes as risk management and transaction monitoring to counter fraud in compliance with the regulatory legislation in areas of anti-money laundering, terrorism, and proliferation financing.
6. Transfer of Personal Data to third parties
As part of Salto X processing, Salto X may share the User's data with certain recipients such as authorities, Salto X group companies, suppliers, payment service providers, and business partners. At the same time, Salto X will not disclose more of the User's Personal Data than is necessary for the purpose of disclosure and in accordance with regulatory requirements and data protection legislation.
Recipients may process the User's Personal Data by acting as data processors and/or as data controllers. When a recipient processes the User's Personal Data on its own behalf as a data controller, the recipient is responsible for providing information on such processing of the User's Personal Data. Salto X undertakes to guarantee appropriate technical and organisational security measures to ensure that the Personal Data processor upholds security standards that are not lower than the security standards set by Salto X.
Salto X discloses the Personal Data to recipients such as:
authorities, such as law enforcement agencies, bailiffs, notaries, tax authorities, supervisory authorities and Financial Intelligence Unit, and any other authorised person, including administrators, which are involved in any restructuring process of the Companies;
third party, who is taking debt collection steps to recover debt from the User (such as debt collectors, lawyers, court bailiffs, insolvency administrators, etc.);
to the parent (holding) company of Salto X, its governing enterprise and any enterprises dependent on the governing enterprise, other companies or enterprises, which directly or indirectly have obtained a significant share in the share capital of Salto X or in which Salto X has obtained direct or indirect participation, insofar as such information is necessary for the performance of functions delegated to them;
credit and financial institutions, correspondent banks, custodian banks, insurance providers and intermediaries of services, third parties participating in the trade execution, settlement, and reporting cycle;
financial and legal consultants, auditors, or any other data processors of Salto X, insofar as such information is necessary for the performance of functions delegated to them;
providers of databases and registers, e.g. to population registers, commercial registers, securities registers, or other registers holding or intermediating the User's data, debt collectors and bankruptcy, bailiffs, notaries or insolvency administrators;
participants and/or parties related to domestic, European, and international payments;
persons and suppliers related to the provision of the Services of Salto X, such as providers of IT, telecommunications, payment intermediaries, credit institutions, hosting, archiving, postal services, etc.
Please be informed that the User data may be requested by the state authorities located in the countries where Salto X offers its services, including countries outside the EU/ EEA. In all such cases, Salto X evaluates the request and assesses whether the provided reasoning for the disclosure of the User's data is substantiated, whether the requested data amount is proportional, and whether the correct channels have been used to request the disclosure of the User's data. Unless prohibited by law, Salto X will inform the User about receiving a request to disclose the particular User's data.
7. Geographical area of processing
As a general rule, the User's Personal Data is processed within the European Union/ European Economic Area (referred to as "EU/ EEA") but in some cases may be transferred to and processed in countries outside of the EU/EEA.
The transfer and processing of Personal Data outside of the EU/EEA can take place provided there is a legal basis and one of the following conditions:
the country outside the EU/EEA, where the recipient is located, has an adequate level of data protection as decided by the EU Commission;
the controller or processor has provided appropriate safeguards, for example, the EU Standard Contractual Clauses or other authorised contractual clauses, approved codes of conduct, or certification mechanisms;
there are derogations for specific situations applicable, for example, the User's explicit consent, the performance of a contract with the User, conclusion or performance of a contract concluded in the interest of the User, establishment, exercise, or defense of legal claims, important reasons of public interest. Upon request, the User can receive further details on his/ her data transfers to countries outside the EU/EEA.
8. Retention period
Personal Data will be retained for no longer than is necessary for the particular purpose of processing for which the data is collected, or which is stipulated in the regulatory legislation.
Personal Data will be processed by Salto X as long as the contractual relationship with the User exists.
In cases when Personal Data processing occurs based on the User's consent, the Personal Data will be retained as long as the consent is valid.
Other retention periods may be established and applicable when the Personal Data is processed for purposes based on Salto X legitimate interest, for example, for the establishment, exercise or defence of legal claims, for a maximum period of limitation according to the regulatory legislation.
In all cases, Salto X limits the processing of Personal Data to a minimum.
9. Your rights as a data subject
Salto X respects User's rights to access, manage and control the Personal Data that Salto X processes. Once Salto X receives a request from the User to exercise any of the rights listed below, Salto X will review the User's request and provide a response without undue delay and in any event within one month of receipt of the request.
According to the data protection legislation, this time period may be extended if the User's request is complex or if due to the number of received requests, Salto X cannot prepare a reply within the previously set time limit. In this case, Salto X informs the User about the extension of the time limit for preparing a reply to the User's request and indicates the specific term for preparing a reply.
Should the User wish to exercise any of the rights listed below, the User can do so by submitting a request in one of the following ways:
9.1. by sending an electronic request to: firstname.lastname@example.org
9.2. by sending a signed request to: Estonia, Tallinn, Vana-Kalamaja 45-14, 10415
Salto X reserves the right to request additional information from the User in order to verify the identity of the person, who has sent the request, and to protect the User's data from being disclosed to unauthorised persons, as well as to request a signed request with secure e-signature or with handwritten signature for verification and security purposes. If the User or Salto X has terminated the Agreement and is not able to identify the data subject via the User's Account, Salto X has the right to request identification of the person before any Personal Data disclosure, based on such request.
The User has the right to access the Personal Data free of charge. However, if the User's requests are manifestly unfounded or excessive, Salto X retains the right to charge a reasonable fee or to refuse to act on the request.
Below is a summary of the User's specific rights:
receive confirmation if the User's Personal Data is being processed by Salto X and, if so, then to access it;
require the User's Personal Data to be corrected if it is inadequate, incomplete, or incorrect;
require the erasure of the User's Personal Data;
restrict the processing of the User's Personal Data;
object to the processing of the User's Personal Data if the processing is based on Salto X's legitimate interests;
object to the processing of the User's Personal Data for direct marketing;
receive the Personal Data that is provided by the User and is being processed based on consent or performance of an agreement in a structured, commonly used electronic format and, where feasible, transmit such data to another service provider (right to data portability);
withdraw the consent to process the User's Personal Data;
request not to be subject to fully automated decision-making, including profiling, if such decision-making has legal effects or similarly significantly affects the User. This right does not apply if the decision-making is necessary in order to enter into or to perform an agreement with the User, if the decision-making is permitted under the data protection legislation, or if the User has provided explicit consent.
If the User considers that the processing of the User's Personal Data infringes the User's rights and interests under the data protection legislation, the User can lodge a complaint. The complaint can be lodged with a supervisory authority (Estonian Data Protection Inspectorate - https://www.aki.ee/en) or with a supervisory authority in the EU Member State of the User's habitual residence or place of work.