TBF FINANCE, UAB (hereafter also referred to as “the Company”, “we”, “us” or “our”) is licensed as a payment institution under Authorization Code LB000465 and is regulated by the Bank of Lithuania. The Company is incorporated under the laws of Lithuania with Company Code: 304483528 and has its registered address at Konstitucijos pr. 21A, Vilnius, LT-08130, Lithuania. The Company owns and operates the domain www.papel.com (hereafter the “Website”).
Data Subject (hereinafter as “you,” or “your”) stands for an identified or identifiable natural person, whose personal data the Company processes in course of conducting business, regardless the personal data were obtained from this person directly or from the third parties.
Personal data means any information relating to an identifiable natural person (i.e. using information and data in order to directly or indirectly identify a specific person).
Processing means any operation(s) which is performed on personal data (or on sets of personal data) whether or not by automated means such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.
2. Scope and Applicability
As part of the Company’s daily operations, it is necessary to collect personal data from existing and prospective clients in order to be able to provide them with our products and services. This Policy describes how the Company collects, processes, uses, maintains, stores and discloses your personal information and data.
Any personal data the Company collects about the client will only be used for the purposes we have collected it for, or as allowed under the applicable legislation, and to perform our contractual obligations in relation to the products and services offered. This Policy covers the Company’s official corporate website www.papel.com, all its related sub-domains that are registered and operated by the Company as well as the payment gateways and any other software solutions used by the Company.
This Policy is applicable to the processing of personal data regardless of the form/environment that the personal data is provided (e.g. on paper, electronically, by phone or otherwise) and whether or not the Company process it by automated means of manually.
Moreover, this Policy applies to former, existing or prospective clients, applicants and visitors on the Company’s website(s) (hereafter “the client” for convenience). The Company strives to protect the privacy, confidentiality and security of all personal data obtained from our clients during the course of the business relationship and their dealings with the Company, including information obtained during their visits to the Company’s website(s).
At the Company, we treat all individual visitors that enter our corporate website(s) as well as all private individuals that represent our corporate clients (i.e. authorized representatives, proxies etc.) and all our private individual clients as Data Subjects in the sense of the GDPR Regulation.
3. Our Commitment to You
The Company fully understands the importance of maintaining the confidentiality and privacy of your personal data. We respect your privacy and to this end, we are committed to taking all reasonable steps in order to protect and safeguard the privacy, confidentiality, security and integrity of your personal data.
4. How do we collect your Personal Data?
In order for a natural person to become our client, (s)he must complete and submit the account opening application form. During this process, the prospective Client is requested to provide certain personal information, data and identification documents as well as acknowledge his/her willingness to share this private information with the Company for the purpose of evaluating the client’s request to open a payment account with the Company and to comply with the Laws and Regulations governing the provision of payment instruments, services and products offered by the Company. Apart from the personal data collected during the account opening process, the Company may collect personal data in a number of ways, including but not limited to, the following:
5. What Personal Data do we collect?
The list of personal data that we may collect from you is not exhaustive. The list below specifies the main categories of personal data, which the Company collects and processes:
6. How do we use and process your Personal Data?
The Company will only collect, use, process, disclose, transfer and store your personal data in accordance with the GDPR Regulation, the local Lithuanian legislation on data protection & practises, and the Client Agreement based on one or more of the following legal bases and purposes:
a) To perform our contractual obligations and to provide you with the services & products you have requested, or to provide you with information regarding our products & services that may be of interest to you, or to keep you updated on the issues that are relevant to your business relationship with us;
b) To complete the client on-boarding and identification procedures. Personal Data is used to verify your identity & residence (in order to accept you as client) as well as to conduct anti-money laundering, sanctions, fraud, credit risk and customer due diligence checks as required by the applicable laws. It is also used to assess and confirm your eligibility to use our products and services. It should be noted that these checks are conducted by our third-party service providers on our behalf;
c) To create an account for you and to set-up and operate the customer account / profile you have with us as well as to provide you with technical or customer support;
d) To process your transactions and to send you information about transactions executed;
e) To administer & improve our website(s) and payment gateways in relation to any technical issues faced, troubleshooting, errors, maintenance, support, data analysis, testing etc.;
g) To perform research or to conduct data analysis which will help us to improve our products & services as well as to provide you with better products & services in the future and/or to suggest to you products & services that may be of interest to you. In such a case, we will combine your personal data with the personal data of other clients on an aggregate base and create impersonalized data. The Company may provide this research or analysis to third parties solely for statistical and/or marketing purposes to the extent allowed under the Client Agreement already accepted by you. Under no circumstances will you be able to be identified from this data analysis, you will remain anonymous;
h) To investigate any grievances or complaints and settle any disputes;
i) To enable you to participate in surveys, competitions, campaigns etc that might be of your interest, where you have consented to be contacted for such purposes;
j) To send you marketing communications and/or promotional material in the agreed forms (i.e. by email, telephone or social media). Please note that we will not disclose your personal data to any third parties for the purpose of allowing them to directly market to you;
k) To notify you about any changes to our products and services, Client Agreement, Terms & Conditions, our Policies or other legal documents which form part of the agreement between us, or to keep you updated with news on our products and services, or to provide you with any legal notifications in relation to other important matters relating to your use of our services and products;
l) To comply with the applicable laws & regulations, including requests from the regulator or other competent authorities, court orders, police investigations, preparation of regulatory reporting or any other legal and regulatory requirements to which the Company is subject to such as anti-money laundering laws, market abuse laws, financial services laws, privacy laws and tax laws;
m) To safeguard our legitimate interests , whether this is pursued by us or by another third party. In such a case, the Company must have a sound business or commercial reason to use your personal data and must not go unfairly against your best interests.
If it is necessary to use your personal data and data for any other reason which is not outlined above, then you will be duly informed (i.e. via a pop-up message, push notification, email or otherwise) and also if there are any additional terms and conditions which will apply. You will be asked to confirm whether you agree to these additional terms and conditions before we can proceed.
Please note that you can control what and how you receive communications or information from us. If you do not wish to receive electronic communications from us (including marketing and advertising communications, promotional material, market research analysis, news, updates, newsletters etc.) then please send an email to [email protected] unsubscribe from future correspondence and we will stop sending you this information.
Please note that even if you unsubscribe from marketing communications, you will still continue to receive communications from us that are necessary for the operation of your account.
7. Contacting You
The Company or its affiliates, business partners, associates or other agents may, from time to time, contact clients by telephone, fax, email, post or otherwise, for the purposes of offering them further information about the Company’s products and services, or to inform them of promotional offerings, or for marketing purposes or to conduct market research.
If the client wishes to opt-out of any further contact at any time and for whatever reason, (s)he is entitled to do so by contacting the Company’s back-office department via email and requesting in writing that the client wishes no further contact in relation to the above reasons.
8. Disclosure and Transfer of your Personal Data
Any personal data or other confidential information (including recordings, documents of a confidential nature, payment details and personal details) that you provide to the Company will be treated as confidential and it will not be disclosed to any third parties, except when necessary to provide you with our services & products, fulfil our contractual obligations and conduct our business operations as described herein.
Below are the cases under which we may disclose your personal data and why:
a) Group Companies: to any member of our group, meaning any branch, subsidiary company, sister company, parent / holding company and its respective employees in order to provide the services & products requested by the client, to fulfil our contractual obligations under the Client Agreement and to provide technical & customer support. It should be noted that all the group entities and our employees are required to follow our privacy and security protocols when handling personal data;
b) Third party service providers: including but not limited to legal advisors, professional or expert advisors, internal auditors, external auditors, service providers who have been contracted to provide us with software and hardware systems; payment gateways; platforms; support; administrative; financial; legal; accounting; auditing; taxation; compliance; record-keeping; website; cloud-hosting; IT; research; marketing; advertising; email transmission or messaging services; data storage; or other services which are necessary to be able to execute client transactions, instructions, order or payments, or to complete our contractual obligations, or to provide the services & products requested by our clients, or for purposes which are ancillary to the provision of our services & products to you as our Client. It should be noted that our third-party providers are permitted to use your personal data only for the provided the services contracted for and may not use or otherwise share your personal data;
c) Credit reference agencies, fraud prevention agencies, third authentication service providers, banks, payment service providers, other financial institutions: to conduct credit checking, anti-money laundering checks, identity verification checks, sanction checks, fraud & fraud prevention checks, risk assessment, payments processing or customer due diligence checks. In order to do so, these organizations will check the client’s details supplied against any details held on any database (public or otherwise) to which they have access to. These organizations may store your information in order to comply with their legal and regulatory obligations. A record of the search conducted by these organizations will be retained by us;
d) Our affiliates, business partners, agents, associates and business introducers: with whom we have a mutual business relationship and they have directed you to us;
e) Police, courts, regulatory authorities, governmental agencies, public authorities and law enforcement authorities: having control or jurisdiction over the company or companies of the group, our clients, our associates or in whose territory we have clients or providers, as applicable. In such a case, we will share your personal data only when it is required to comply with the applicable laws, rules and regulations, or to comply with a court order of a competent Court, or to comply with investigations, administrative, judicial or legal proceedings and/or to respond to official requests from these authorities. This may include authorities outside the client’s country of residence or the Company’s country of operations;
f) Other third parties: we may share personal data in the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including bankruptcy/liquidation proceedings or equivalent);
g) Where necessary to secure the Company’s legitimate business interests and to defend, protect and/or exercise its legal rights in front of any court, tribunal, arbitrator, the Financial Ombudsman or any other regulatory or governmental authority, as the case may be;
h) at your request or with your consent;
i) to any person(s) authorised by you.
9. Safeguard Measures
The Company has implemented physical, technical & organizational measures to secure and protect your personal data from unauthorized access, use or disclosure, unlawful breach or from accidental destruction, loss or damage. The personal data you provide to us is protected in many ways as follows:
a) Your personal data are stored in secure servers and back-up servers.
b) Access to your personal data is limited only to those employees or partners that need to know the information in order to enable the carrying out of the Client Agreement and have access via a username and password.
c) The Company uses encryption, tokenisation and takes all reasonable technical security measures to prevent unauthorized parties from viewing, using or processing any such information. This information is accessible only to authorized personnel.
d) Our payment card environment is Payment Card Industry Data Security Standard (PCI DSS) compliant by the external assessor.
e) We train our employees regularly regarding the importance of maintaining, safeguarding and respecting your personal data and security.
f) Potential breaches of individuals’ privacy are taken very seriously. The Company will impose appropriate disciplinary measures to its employees in such a case and it could even involve a dismissal from employment.
g) Our business partners, affiliates, agents, associates, service providers and employees sign a confidentiality and non-disclosure agreement in order to maintain the confidentiality of your personal data.
h) The Company tests and monitors the effectiveness of security measures frequently.
i) We have appointed a Data Protection Officer (DPO) to ensure that the Company obtains, manages, processes and discloses your personal data in accordance with this Policy and the applicable legislative and regulatory framework.
j) In the unlikely event of a data breach, as soon as the Company become aware of a breach of personal data protection, and without undue delay, the Company notifies the regulatory body in accordance with the provisions of the GDPR Regulation. In case that a breach of personal data protection could pose a high risk to the rights and liberties of persons, without undue delay, the Company will notify the person about the personal data breach.
While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the transmission of information via the internet is not entirely secure and for this reason we cannot ensure or guarantee the confidentiality, security or integrity of any personal data transferred from you to us, or from us to you via the internet.
This Company shall not be responsible or liable (whether in civil, criminal or otherwise) under any circumstances for any amount or kind of loss or damage (including without limitation, any direct, indirect, punitive or consequential loss or damages, or any anticipated loss of profit, loss of profit, loss of opportunity, loss of data, costs and fines and/or any special or incidental damages of any kind) that may result to you or arising from or connected in any way to cyber-attacks, computer viruses, system failures or malfunctions which may occur in connection with your use of the Company’s products, services, websites, devices, mobile applications, payment channels or any other method.
10. Storage and Retention Period of your Personal Data
Under the applicable laws and regulations (including anti-money laundering laws), the Company is required to retain all types of records containing client personal data for at least five (5) years after the termination of the business relationship between us and/or as long as one of the following criteria is valid:
However, please note that we may keep your personal data for longer than five (5) years in case for example a dispute arises between the client and the Company, or due to legal / regulatory reasons requiring us to do so. In any case, we will not keep your personal information for any longer than is required. As soon as the purpose has been fulfilled, the Company erases the data or destroys the information carriers on which the data is recorded (e.g. documents in paper format).
Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. When personal data is no longer necessary for the purpose for which it was collected, we will securely destroy the records.
11. Transfer of Personal Data outside the EEA
EU data protection rules apply to the European Economic Area (EEA) which includes all the EU countries and non-EU countries: Iceland, Liechtenstein and Norway. If necessary, the Company may transfer your personal data to a country outside the EEA, for storage and/or for processing by staff operating outside the EEA who work for the Company and/or to our suppliers, business partners, associates, affiliates, agents, business introducers or service providers who are engaged on our behalf to fulfil our contractual obligations under the Client Agreement. Moreover, personal data we collect from you may be stored or processed in a jurisdiction that is different to the country in which the specific entity of the group you are dealing with is registered and established. Therefore, by entering into the Client Agreement with the Company and submitting your personal data, you agree to the transmittal, storing and processing of your personal data outside the EEA.
Nonetheless, when your personal data is transferred outside the EEA, the Company will take all steps reasonably necessary to ensure that the transfer is lawful, that the organization to whom your data are send provides data protection at an adequate level, or provided that receiving Company undertakes sufficient guarantees in accordance with the provisions of the GDPR regulation to ensure that your personal data are treated securely.
Where this is not possible and we are required to disclose your personal data (i.e. because we are required by law or by virtue of a court order in place) we will do this as per the applicable legal and regulatory obligations.
The Company will only send personal data outside the EU/EEA to a country, in relation to which the European Commission has not made a decision regarding the adequacy of its security level and which does not provide the corresponding guarantees, if:
a) The person has clearly agreed to the proposed transfer, having received information from the Company about the potential risks that such a transfer could pose to the person;
b) Transfer is necessary in order to fulfil the contract between the client and Company or to implement measures after the conclusion of the contract, which were approved at the client’s request;
c) Transfer is necessary for conclusion of an agreement between the Company and another private individual or legal entity, in the interests of the client or for the fulfilment of such a contract;
d) Transfer is necessary if there are important reasons of public interest;
e) Transfer is necessary in order to raise, fulfil or defend legal requirements, or
f) Transfer is necessary in order to protect the vitally important interests of persons if the client is physically or legally incapable of giving its consent.
12. Cookies and Links
The Company’s data collection procedures include the placement of cookies for the purpose of gathering information and data about the manner in which our clients interact with the Company’s website(s) in order to provide our clients with a better experience and present our services and products according to your needs and preferences. Cookies are small pieces of data files send from our website(s) to your browser that is stored on the client’s computer when using our website(s) and may include a unique identification number. A cookie in no way gives us access to your computer or any other information about you, other than the information you choose to share with us.
13. Monitoring and Recordings
The Company will, as required by law, monitor and record any form of communication between the Client and the Company, including but not limited to, electronic correspondence (i.e. chats/emails), video calls, fax, postage, telephone conversations, in person or otherwise, in relation to the provision of our services & products and our business relationship with you. The Client accepts such recordings as conclusive evidence of the orders, instructions, requests or conversations so recorded.
Moreover, we hereby inform you that we have security measures in place both for the whole building and at our offices, including CCTV and building access controls. There are signs notifying you that CCTV is in operation. Accordingly, if you visit the Company’s premises for any reason, we may have CCTV footage which will record your image. However, these images are securely stored and only accessed by authorized personnel on a need-to-know basis (i.e. to look into an incident). CCTV recordings are typically erased after a short period of time unless an issue arises which requires us to maintain the recording for a longer period of time (i.e. to investigate a case of theft).
In addition, visitors to our offices may be requested to sign in at reception and we shall keep a record of visitors for a short period of time. Our visitor records are securely stored and are accessible only on a need-to-know basis. All the above-mentioned types of recordings will be the sole property of the Company and will constitute evidence of the communications between us, any business dealings and agreements made. The Company reserves the right to use these recordings in a court of law in case of a dispute or otherwise.
14. Your Rights regarding your Personal Data
In line with the provisions and requirements of the GDPR Regulation (679/16) on the protection of personal data, you have the following rights in relation to your personal data:
a) Access to your Personal Data: you have the right to acccess your personal data, to review all the personal data that is related to you and which was collected for the duration of the business relationship, update your file and to check the accuracy of your personal data at any time, which is related to you individually.
b) Rectification: if the personal data we hold about you is inaccurate or incomplete, you are entitled to make rectifications, amendments and update it with your current personal circumstances. In such a case, the Company may request supporting documents or evidence to justify the correction of the data.
c) Changes: you may inform the Company at any time regarding any changes to your personal data by emailing us at [email protected] The Company will change your personal data according to your instructions. Please note that in order to proceed with such requests, the Company may require supporting documents from you as proof.
d) Deletion: you have the right to request us to delete your personal data (partly or wholly) when there is no good reason for us to continue processing it, except to the extent that we are required to hold it for legal or regulatory purposes as well as to maintain adequate records in accordance with anti-money laundering requirements. Please note that if you request to delete your personal data, this will lead to the automatic closure of your customer account.
e) Information on use and processing: you have the right to obtain information on the use and purpose of processing your personal data as well as inform you what information we process and you have the right to request a copy of the personal data we hold about you (except documents) within thirty (30) days from the date of your request free of charge. Taking into account the complexity or number of requests, the Company may extend the response time to two (2) months. If you require additional copies, we may charge a reasonable administrative fee based on actual costs incurred. The Company may decline the client’s request if it is clearly unjustified or excessive, particularly because of their repetition on a regular basis.
f) Processing Restrictions: you have the right to request us to limit the processing or to stop the processing altogether of your personal data for one of the following reasons:
This will not stop us however from storing your personal data and may have an effect on the provision of our services rendered to you and/or may result in account closure.
g) Choice to opt-out: you may opt-out from receiving commercial, non-commercial newsletters and notifications from the Company by notifying our DPO.
h) Portability: you have the right, under certain circumstances, to receive and retain your personal data in order to save it or to re-use it elswhere, or to ask us to transfer them to another Data Controller or Third Party nominated by you. After the fulfilment of the data transfer application, the Company would no longer be responsible for its subsequent processing by the thir party. The data transfer is free of charge.
i) Withdrawal: you may withdraw your previously given explicit consent with regards to the collection, use and processing of your personal data at any time by contacting our DPO. In that case subsequent data processing will no longer be carried out however, personal data processing carried out before the withdrawal will remain valid. Withdrawal of consent cannot result in the suspension of personal data processing which is carried out on legal grounds.
You can submit your request to make use of the above rights to your personal data by contacting our Data Protection Officer (DPO) through email at the following address: [email protected]
15. Legal Disclaimer
The client is responsible for keeping their login credential confidential and not to disclose it to any unauthorized third party. If any person gains access to the client’s account and/or personal data, the Company will not be held responsible or liable for any damage that occurs, or any unlawful or unauthorized use of your personal data due to misuse or misplacement of your login credentials, negligent or malicious intervention (or otherwise) by you or due to your acts or omissions or by a person authorized by you (whether or to that authorization is permitted by the terms of our legal relationship with you).
The collection, use and storage of your personal data is based on your consent. By entering into an agreement with the Company, establishing a customer account and accessing the Company’s website(s), portals or payment gateways, you agree and consent to the collection, use and storage (for at least 5 years from the end of the business relationship) of all the personal data that you supply to the Company by the means described herein. In addition, please note that by downloading the Company’s platform(s) and allowing cookie settings in your web browser also constitutes consent of this Policy. You may revoke your consent at any time however, any personal data processed before the receipt of your revocation will not be affected.
17. Data Protection Officer (DPO)
If you have any questions regarding this Policy, wish to make a complaint or exercise any of your rights in relation to your personal data you may contact our DPO as follows:
Via email at: [email protected]
Via telephone: +370 672 277 61
With registered post at: Konstitucijos pr. 21C, 5th Floor, Vilnius, LT-08130, Lithuania
If you are still not satisfied after having spoken to us, or you are unhappy with the outcome of the complaint, you also have the right to lodge a complaint to the State Data Protection Inspectorate (which is the supervisory authority/regulator for personal data protection issues in Lithuania) by visiting this page https://vdai.lrv.lt/en/.
18. Amendments to this Policy
The Company will review this Policy at least annually, or whenever a material change occurs in the law, or in the Company’s internal procedures/arrangements, or whenever the Company deems it necessary for any reason, and will duly notify its clients of such changes by posting an updated version of this Policy on its website(s). If however, we make material changes or significant we will notify you promptly by other means.
The Client hereby accepts that the posting of an updated Policy on the Company’s website will serve as the actual notice of the Company to its clients. The Company encourages its clients to periodically review this Policy so that they are always aware of what information the Company collects, how it uses it and to whom it may disclose it, in accordance with the provisions of this Policy.