Privacy Policy – Veli UAB

Last Updated: July 2023

1. Introduction

1.1 For Veli UAB (hereinafter the “Company” or “Veli” or “us”) the protection of your privacy and the security of your transactions is a primary concern. To provide you with the Services and in order to comply with the applicable laws, we collect personal information from you as a user or prospective user of the Services. Therefore, this Privacy Policy outlines the types of Personal Data we collect from you, how we use it, who we share it with, and how we protect it. Furthermore, we would like to inform you what rights you have in respect of your Personal Data and to whom you can turn for data protection concerns. 

1.2 This Privacy Policy is issued by and applicable to all Services provided to you by Veli.

1.3 This Privacy Policy forms an integral part of the General Terms and Conditions, by agreeing to the General Terms of Conditions, you also agree to this Privacy Policy.

1.4 Regarding the terms used in this Privacy Policy, including “Personal Data”, “processing” or “controller”, we refer to the definitions set out in the General Data Protection Regulation (GDPR).

2. About Veli

2.1 In terms of the applicable data protection laws, we, Veli UAB, a limited liability company incorporated in accordance with Lithuanian law under corporate ID number: 306141861, with our registered office at Girulių g. 10, Vilnius, Lithuania, represent the data controller that offer the Services via our website www.veliapp.io and our mobile app.

3. To whom does this Privacy Policy apply?

3.1 This Privacy Policy applies to all persons who use the Services, the website, the app or interact otherwise with the Veli (e.g. business partners, interested parties, service providers, etc.); generally, such persons hereinafter called “Client” or “you“.

4. Which Personal Data we process:

4.1 We process the Personal Data that we receive from you at the time you register for the use of our Services, as well as Personal Data which we may additionally request in order to verify your identity or if necessary for the use of the Services. Furthermore, we might process data we receive within Veli and data we have received from credit agencies, debtor directories, business analysis and from publicly accessible sources (e.g. commercial register, register of associations, land register, media, sanctions lists).

4.2 When using Veli’s services or interacting with Veli, the following Personal Data might be processed:

     4.2.1 Identity data includes your name, username or similar identifier, marital status, title, date of birth and gender and photo for the account.

     4.2.2 Contact data includes your address, telephone number, email address, date of birth.

     4.2.3 Verification data includes screenshots of national identity documents, like passport, driving licence, ID card, and identification data from these documents, utility bill details for residence verification, data about status of political exposed persons, video data from the video authentication process and biometric data for verification.

     4.2.4 Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us, your interests, preferences, feedback and survey responses, as well as information about how you use our website and Services.

     4.2.5 Financial data includes bank details (IBAN, BIC), payment service provider information, payment details and transaction-ID.

     4.2.6 Log data includes IP-address, transaction data, deposit and withdrawal address, computer or mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, identification cookies, optionally form data, crash reports, performance data and third-party cookies.

     4.2.7 Mobile app data includes IP-address, transaction data, deposit and withdrawal address, mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, optionally form data, crash reports, performance data and only with your explicit consent, data from: camera, microphone, storage, telephone (read SMS confirmation).

     4.2.8 Company details include commercial register reports, data of or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company, etc.

     4.2.9 Details to and proof of funds and proof of wealth includes banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds, as well as information on recent, past or planned business or personal activities of business or private Clients.

     4.2.10 Photo, video and audio data includes photos and other recordings of such events and might process photo, video and audio data when we attend or organise events or fairs or hold interviews. 

     4.2.11 Hiring data includes curriculum vitae, qualifications, police clearance certificate, credit report, national identity documents like passport, driving licence, Personal Data from all these documents and links to your portfolio or social media platforms.

4.3 Veli generally does not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). An exception to this is when you voluntarily perform the verification of your account using the automated authentication process of our service provider Onfido Limited (3 Finsbury Avenue, London EC2M 2PA).

With this verification method, in addition to the actual verification data (e.g., screenshots of ID documents and identification data from these, residence, status of politically exposed persons, video data, etc.), biometric data is also collected. Such processing of biometric data takes place exclusively on the basis of your express consent, which you may revoke at any time.

The biometric data will be processed solely by our processor Onfido Limited for the purpose of verification and will be erased completely within 30 days after performing the identification. Veli only receives the positive or negative verification result with other verification data and does not process biometric data from Clients itself at any time.

5. Purpose and legal basis for using Personal Data

5.1 All collection and processing of Personal Data is performed in accordance with the GDPR and the Lithuanian Personal Data Protection Law. We process your Personal Data based on at least one of the legal bases listed below. If Veli were to ask for the provision of any other Personal Data not described above, then such data and the purpose and legal basis for the collection and processing will be communicated to the Client at the point of collecting the Personal Data.

     5.1.1 For performance of contractual obligations (Art 6 para 1 lit b GDPR)

Processing of Personal Data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract, i.e. in order for Veli to be able to provide you with the Services. The following data processing operations, for example, are covered by such contractual obligations:

     5.1.2 For compliance with legal obligations (Art 6 para 1 lit c GDPR)

Processing of Personal Data might also be necessary for complying with various legal obligations (e.g. to comply with anti-money laundering regulations). 

     5.1.3 To protect legitimate interests (Art 6 para 1 lit f GDPR)

Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of Veli or a third party, including to keep our records updated and to study how customers use our Services, to prevent the abuse of our Services and to ensure good management of our fees and collection and recovery of payments owned to us.

     5.1.4 Based on your consent (Art 6 para 1 lit a GDPR)

If you have given us your consent to process your Personal Data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.

5.2 We collect your Personal Data to:

  • Provide our Services (including customer support);
  • Process transactions and send notices about your transactions;
  • Resolve disputes, collect fees, and troubleshoot problems;
  • Communicate with you about our Services and to respond to any questions, comments or requests you filed with us and the handling of any complaints;
  • Comply with applicable laws and regulations;
  • Establish, exercise and defend legal claims;
  • Monitor and report compliance issues;
  • Customise, measure, and improve our business, the Services, and the content and layout of the Veli website and Veli app (including developing new Services; managing our communications; determining the effectiveness of our marketing and advertising; analysing and enhancing our Services, website and app; ensuring the security of our networks and information systems; performing accounting, auditing, invoicing, reconciliation and collection activities; and improving and maintaining the quality of our customer services);
  • Perform data analysis;
  • Deliver targeted marketing, service update notices and promotional offers based on your communication preferences, and measure the effectiveness of it. To approach you via email for marketing purposes, we request your consent, unless it is not required by law. You always have the option to unsubscribe from our mailings, e.g., via the unsubscribe link in our newsletter;
  • Perform risk management, including comparing information for accuracy and verify it with third parties and protect against, identify and prevent fraud and other prohibited or illegal activity, claims and other liabilities; and
  • Enforce our contractual terms.

6. Recipients of Personal Data:

6.1 Veli transfers your Personal Data only to the extent described below or within the scope of an instruction at the time the Personal Data is collected from you. In addition, Personal Data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties.

     6.1.1 Data transfer within Veli:

The employees of Veli will process your Personal Data in order to fulfil Veli’s contractual and legal obligations and legitimate interests. We process Personal Data for the purpose of our daily business operations like account management and other operations requested by you as well as to conduct internal administrative activities efficiently in a shared way and to maintain as well as improve our products and services.

     6.1.2 Data transfer to processors:

To a limited extent, we also transmit personal information to processors who perform services for us such as video authentication services (e.g. Onfido Limited), IT services (CRM, Intercom, user analytics – Mixpanel), Support services (Reyn Digital Assets OÜ). Processors may only use or disclose this data to the extent necessary to perform services for us or to comply with legal rules. We contractually oblige these processors to ensure the confidentiality and security of your Personal Data that they process on our behalf.

     6.1.3 Data transfer to public bodies and institutions:

We might also transfer your Personal Data (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.

     6.1.4 Other third parties:

We might transfer your Personal Data to any other person with your consent to the disclosure or for the purpose of performing a contract or in order to take steps at your request prior to entering into a contract.

7. International data transfers

7.1 Your Personal Data may be accessed by staff or suppliers in, transferred to, and/or stored at, a destination outside the country in which you are located, whose data protection laws might be of a lower standard than those in the European Union. However, Veli will in all circumstances safeguard Personal Data as set out in this Privacy Policy. If we process Personal Data in a third country (outside the European Union (EU) or the European Economic Area [EEA]) or if this occurs in the context of the use of third-party services or disclosure and/or transfer of Personal Data to third parties, we shall only transfer Personal Data to the performance of our (pre)contractual obligations, based on your consent, a legal obligation or our legitimate interests. Subject to legal or contractual authorizations, we process or have Personal Data processed in a third country only where the conditions of Art 44 et seq GDPR are met. This means, for example, that processing and the transfer is carried out based on special safeguards, such as the adherence to a code of conduct or certification mechanism together with binding and enforceable commitments from the recipient in the third country to apply the appropriate safeguards to protect the data or compliance with officially recognised special contractual obligations published by the European Commission (known as “Standard Contractual Clauses”).

8. Retention and deletion of Personal Data

8.1 We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements, which is typically one year after termination of your Veli account.

8.2 We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. 

8.3 In some circumstances you can ask us to delete your data. In some circumstances we will anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

8.4 Unless expressly stated in this Privacy Policy, Personal Data processed by us shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations.

9. Your rights

9.1 Under the GDPR and the Personal Data Protection Law, you have statutory rights related to your Personal Data, however please note that these rights may be subject to conditions.

9.2 You have the following rights:

     9.2.1 to object to the processing of your Personal Data where we are relying on legitimate interests as our legal basis. Under certain circumstances, we may have compelling legitimate grounds that allow us to continue processing your Personal Data. 

     9.2.2 to withdraw consent – insofar as our processing of your Personal Data is based on your consent, you have the right to withdraw consent at any time.

     9.2.3 to access – you have the right to request access to your Personal Data.

     9.2.4 to rectification – you have the right to request rectification of the Personal Data that we hold about you.

     9.2.5 to deletion – you have the right to request deletion of your Personal Data. This enables you to ask us to delete or remove Personal Data in certain circumstances.

     9.2.6 to restriction – you have the right to request restriction of processing of your Personal Data.

     9.2.7 to data portability – in some cases, you have the right to request to transfer your Personal Data to you or to a third party of your choice.

The exercise of the aforementioned rights is free of charge and can be carried out by contacting us at privacy@veliapp.io.

Before responding to your request, we will verify your identity and/or ask you to provide us with more information to respond to your request, if we have any doubts about your identity. We will do our best to respond to your request within one month, unless your request is particularly complex (for example if your request concerns a large amount of sensitive data). In such a case, we will inform you of the need to extend this response time by two additional months.

9.3 You have the right to file a complaint to the competent supervisory authority, if you think your rights have been violated under the GDPR. In Lithuania, this is the Data Protection Inspectorate (VDAI).

10. Data security

10.1 We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties on a business need to know basis. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

11. Changes to our Privacy Policy

11.1 We may, from time to time, change our Privacy Policy. If we make material changes to how we treat your Personal Data, we will notify you through a notice on the Veli website. The date the Privacy Policy was last modified is stated on this notice. Please ensure you periodically visit our website and this Privacy Policy to check for any changes. However, if we are required by law to give you advance notice of any changes to this Privacy Policy and/or seek your consent to changes in our uses of your personal information, then we will do so.

Thank you for reading our Privacy Policy!

If you have any further questions about this Privacy Policy or the processing of your Personal Data, please contact our Data Protection Officer at the following e-mail: privacy@veliapp.io.