In force from 2020-07-07

Privacy Policy

This Privacy Policy describes the general principles on how Change and Indexa B.V. process your personal data and is applicable to any person who uses, has used or has expressed their intent to use the services of Change or Indexa. All of the definitions used in and all circumstances not covered by this Privacy Policy shall be regulated by the terms and conditions of Change and Indexa and/or Regulation (EU) 2016/679.

The policy concerning the processing of cookies is described in Cookie Policy and is accessible on the Website.

Change has appointed a data protection officer, who can be reached via compliance@changeinvest.com. All of the inquiries and complaints concerning the processing of personal data should be addressed to said email address.

1. How is personal data collected?

1.1. Change is to be considered a data controller in respect of personal data collected and processed in respect of providing Services to you.

1.2. In the case of CFD Trading Indexa is to be considered a data controller in respect of personal data collected and processed in respect of providing services to you, in which case Change is considered either a data processor or a data controller. If the purpose and means of processing of personal data has been jointly determined by Indexa and Change, the parties are considered joint controllers, e.g. in cases where the purpose of processing your data is to notify you of amendments in terms and conditions, including this Privacy Policy, or marketing under our legitimate interest.

1.3. In the context of this Privacy Policy references to “we”, “us”, “our” means Change and Indexa, provided the parties are separate data controllers or joint controllers.

1.4. Generally personal data is collected directly from you, and from the information and documents you have provided. However, in order to comply with the legal obligations personal data is also collected from other sources, e.g. from third parties and public sources.

2. Which categories of personal data we are processing?

2.1. We are processing the following categories of personal data:

2.1.1. identification data, e.g. your photo, name, date and place of birth, address;

2.1.2. identity document data, e.g. photo of the document, number and validity;

2.1.3. contact data, e.g. phone number, email address;

2.1.4. financial data, e.g. ownership and source of funds;

2.1.5. transaction data, e.g. transaction sums, counter-parties, bank account and card number(s) and account holders;

2.1.6. other data used for performing customer due diligence measures and to prevent fraud, e.g. media coverage, occupation and connection to other persons, and location; and

2.1.7. correspondence between you and us.

3. For which purposes personal data is processed?

3.1. In general we are processing your personal data for the performance of or entering into a contract with you, i.e. personal data is processed for the purposes of providing the services. Without processing personal data, we would be unable to provide services to you.

3.2. The purposes for which we are processing personal data are the following:

3.2.1. fulfilling a contractual obligation, e.g. executing your transaction orders and ensuring the safety of your assets;

3.2.2. fulfilling a legal obligation, e.g. ensuring the security of accessing the Account and the transactions and using the data for accounting and reporting purposes;

3.2.3. public interest, e.g. by performing necessary acts in order to prevent money laundering and the financing of terrorism and thus to ensure the proper identity verification;

3.2.4. sending informative and promotional notifications, or collecting, processing storing and disclosing personal information, e.g. name and contact information, with our partners in order to conduct campaigns and ship the rewards, under a revocable consent received from you; and

3.2.5. our legitimate interest to prevent fraud and to improve our products and services, as well as to promote the launch and usage of new functionalities and features and to illustrate the benefits and possibilities of cryptocurrencies and investing, e.g. by identifying concurrently used app versions and by sending promotional content regarding new features and products, and to conduct campaigns, including in co-operation with third-parties, and ship the rewards.

3.3. For entering into and for the performance of the contractual agreement between you and us and for public interests, Change is applying certain automated decision-making methods to assess your capability, suitability, behaviour and reputation, whether to enter into or to continue a contractual relationship. The aforesaid assessment is accompanied by human-intervention by an employee of Change, who will perform the final assessment.

3.4. For entering into and for the performance of a legal obligation Indexa is obliged to assess your capability, suitability, behaviour, reputation and financial situation, whether to enter into or to continue a contractual relationship with you, in which case the personal data is processed by Change as a data processor on behalf of Indexa.

4. Which persons have access to the personal data?

4.1. Your personal data is being processed by the following categories of data recipients:

4.1.1. our employees responsible for specific tasks regarding the Services;

4.1.2. data processors who help us with providing the services, e.g. service providers for the maintenance of our IT-systems and for fulfilling our legal obligations;

4.1.3. third parties to whom we are required to transfer data under applicable legislation, e.g. relevant state institutions and sector-specific authorities.

4.2. Change has engaged a third-party service provider, Onfido Ltd, a company located and registered in the United Kingdom, for obtaining certain information required in relation to the fulfilment of its obligations under anti-money laundering and terrorist financing prevention rules. While providing services to Change, Onfido Ltd processes your personal data as a data processor, however, for enhancing its machine learning capabilities Onfido Ltd is also processing your personal data as a data controller. To acquaint yourself with the relevant data processing activities which Onfido Ltd undertakes as a data controller we advise your to read and review the privacy policy located on https://onfido.com/privacy. You should be aware that Change takes no responsibility in relation to processing activities Onfido Ltd undertakes as a data controller and you are free to exercise their rights as data subjects in relation to Onfido Ltd fully and independently.

4.3. We are not responsible for the actions and processing activities of any third parties. Third parties are considered to be separate data controllers, whose services can be procured by concluding separate agreements with them. Third parties may transfer your personal data to Third Countries and process it for independent purposes.

4.4. Certain activities may result in the transferring of personal data to Third Countries, meaning countries located outside the EU/EEA, and to countries in relation to which the EU Commission has not issued an adequacy decision, e.g. the US. For ensuring that your personal data is protected, we have committed to applying appropriate safeguards in the form of concluding relevant data processing agreements, standard data protection clauses adopted by the European Commission for the transfers and/or ensuring that the third-parties are participants in the Privacy Shield frameworks. In case you wish to know more about the safeguards and obtain a relevant copy of them, please contact us using the details specified above.

4.5. We shall maintain the confidentiality of all information of which we become aware on the basis of the relationship with you, including information concerning you and the Payment Account and Payment Transactions thereof, unless the right or obligation to disclose information arises from legislation.

4.6. We shall be released from the obligation to maintain confidentiality to the extent that you have granted consent to the disclosure of information in writing or in the Apps or our Website or to the extent a disclosure of confidential information is allowed or required under applicable laws and/or mandatory orders by regulatory authorities.

5. How long is personal data stored?

5.1. Your personal data is generally retained as long as you are using the Services. After you have stopped using the Services and your Account has been closed, your personal data shall be retained as long as any claims can be presented on the basis of such data under applicable legislation.

5.2. Certain data, e.g. data obtained for the purposes of the fulfilment of obligations related to anti-money laundering and terrorist financing prevention, or data necessary for accounting purposes, shall be retained as required under applicable legislation and industry standards. Generally, respectively at least for 5 or 7 years since the date of closing the Account, but not longer than 10 years.

5.3. We shall immediately terminate processing the data that is processed under your consent, if the consent is revoked, and the processing of personal data under legitimate interest, if you have declared objection to such processing.

6. What are your rights regarding data processing?

6.1. You, as a data subject, are, at any time, entitled to exercise the following rights:

6.1.1. The right to request the correction of your personal data;

6.1.2. The right to request access to your personal data;

6.1.3. The right to request the erasure of your personal data;

6.1.4. The right to withdraw the consent on which the processing is based;

6.1.5. The right to request the restriction of processing your personal data;

6.1.6. The right to object to the processing of your personal data;

6.1.7. The right to exercise data portability in cases where such data has been provided by you for the performance of or entering into a contractual relationship by accepting the Terms or under the consent; and

6.1.8. The right to lodge a complaint respectively to Estonian Data Protection Inspectorate at www.aki.ee or Dutch Data Protection Authority at https://autoriteitpersoonsgegevens.nl/en.