Last Updated: July 2023
2.1 In terms of the applicable data protection laws, we, Veli UAB, a limited liability company incorporated in accordance with Lithuanian law under corporate ID number: 306141861, with our registered office at Girulių g. 10, Vilnius, Lithuania, represent the data controller that offer the Services via our website www.veliapp.io and our mobile app.
4.1 We process the Personal Data that we receive from you at the time you register for the use of our Services, as well as Personal Data which we may additionally request in order to verify your identity or if necessary for the use of the Services. Furthermore, we might process data we receive within Veli and data we have received from credit agencies, debtor directories, business analysis and from publicly accessible sources (e.g. commercial register, register of associations, land register, media, sanctions lists).
4.2 When using Veli’s services or interacting with Veli, the following Personal Data might be processed:
4.2.1 Identity data includes your name, username or similar identifier, marital status, title, date of birth and gender and photo for the account.
4.2.2 Contact data includes your address, telephone number, email address, date of birth.
4.2.3 Verification data includes screenshots of national identity documents, like passport, driving licence, ID card, and identification data from these documents, utility bill details for residence verification, data about status of political exposed persons, video data from the video authentication process and biometric data for verification.
4.2.4 Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us, your interests, preferences, feedback and survey responses, as well as information about how you use our website and Services.
4.2.5 Financial data includes bank details (IBAN, BIC), payment service provider information, payment details and transaction-ID.
4.2.6 Log data includes IP-address, transaction data, deposit and withdrawal address, computer or mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, identification cookies, optionally form data, crash reports, performance data and third-party cookies.
4.2.7 Mobile app data includes IP-address, transaction data, deposit and withdrawal address, mobile device information, frequency, time, operating system, browser type, device type, unique device identification number, optionally form data, crash reports, performance data and only with your explicit consent, data from: camera, microphone, storage, telephone (read SMS confirmation).
4.2.8 Company details include commercial register reports, data of or concerning beneficial owners, records or additional information on recent, past or planned business activities, other data necessary to determine/validate the structure, the beneficial ownership or any power of attorney of the company, etc.
4.2.9 Details to and proof of funds and proof of wealth includes banking statements or any other details provided by banks or financial institutions, contracts of sales or contracts in general, or any other suitable data to prove or determine the origin of funds, as well as information on recent, past or planned business or personal activities of business or private Clients.
4.2.10 Photo, video and audio data includes photos and other recordings of such events and might process photo, video and audio data when we attend or organise events or fairs or hold interviews.
4.2.11 Hiring data includes curriculum vitae, qualifications, police clearance certificate, credit report, national identity documents like passport, driving licence, Personal Data from all these documents and links to your portfolio or social media platforms.
4.3 Veli generally does not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). An exception to this is when you voluntarily perform the verification of your account using the automated authentication process of our service provider Onfido Limited (3 Finsbury Avenue, London EC2M 2PA).
With this verification method, in addition to the actual verification data (e.g., screenshots of ID documents and identification data from these, residence, status of politically exposed persons, video data, etc.), biometric data is also collected. Such processing of biometric data takes place exclusively on the basis of your express consent, which you may revoke at any time.
The biometric data will be processed solely by our processor Onfido Limited for the purpose of verification and will be erased completely within 30 days after performing the identification. Veli only receives the positive or negative verification result with other verification data and does not process biometric data from Clients itself at any time.
5.1 All collection and processing of Personal Data is performed in accordance with the GDPR and the Lithuanian Personal Data Protection Law. We process your Personal Data based on at least one of the legal bases listed below. If Veli were to ask for the provision of any other Personal Data not described above, then such data and the purpose and legal basis for the collection and processing will be communicated to the Client at the point of collecting the Personal Data.
5.1.1 For performance of contractual obligations (Art 6 para 1 lit b GDPR)
Processing of Personal Data might be necessary for the performance of the contract with you or in order to take steps at your request prior to entering into a contract, i.e. in order for Veli to be able to provide you with the Services. The following data processing operations, for example, are covered by such contractual obligations:
5.1.2 For compliance with legal obligations (Art 6 para 1 lit c GDPR)
Processing of Personal Data might also be necessary for complying with various legal obligations (e.g. to comply with anti-money laundering regulations).
5.1.3 To protect legitimate interests (Art 6 para 1 lit f GDPR)
Where necessary, data processing might take place beyond the performance of the contract in order to maintain the legitimate interests of Veli or a third party, including to keep our records updated and to study how customers use our Services, to prevent the abuse of our Services and to ensure good management of our fees and collection and recovery of payments owned to us.
5.1.4 Based on your consent (Art 6 para 1 lit a GDPR)
If you have given us your consent to process your Personal Data, processing will only take place in accordance with the defined purposes and to the extent agreed in the declaration of consent. Given consent may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. Please note that the withdrawal of the consent does not affect the lawfulness of processing based on consent before its withdrawal.
5.2 We collect your Personal Data to:
6.1 Veli transfers your Personal Data only to the extent described below or within the scope of an instruction at the time the Personal Data is collected from you. In addition, Personal Data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties.
6.1.1 Data transfer within Veli:
The employees of Veli will process your Personal Data in order to fulfil Veli’s contractual and legal obligations and legitimate interests. We process Personal Data for the purpose of our daily business operations like account management and other operations requested by you as well as to conduct internal administrative activities efficiently in a shared way and to maintain as well as improve our products and services.
6.1.2 Data transfer to processors:
To a limited extent, we also transmit personal information to processors who perform services for us such as video authentication services (e.g. Onfido Limited), IT services (CRM, Intercom, user analytics – Mixpanel), Support services (Reyn Digital Assets OÜ). Processors may only use or disclose this data to the extent necessary to perform services for us or to comply with legal rules. We contractually oblige these processors to ensure the confidentiality and security of your Personal Data that they process on our behalf.
6.1.3 Data transfer to public bodies and institutions:
We might also transfer your Personal Data (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.
6.1.4 Other third parties:
We might transfer your Personal Data to any other person with your consent to the disclosure or for the purpose of performing a contract or in order to take steps at your request prior to entering into a contract.
8.1 We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements, which is typically one year after termination of your Veli account.
8.2 We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
8.3 In some circumstances you can ask us to delete your data. In some circumstances we will anonymise your Personal Data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9.1 Under the GDPR and the Personal Data Protection Law, you have statutory rights related to your Personal Data, however please note that these rights may be subject to conditions.
9.2 You have the following rights:
9.2.1 to object to the processing of your Personal Data where we are relying on legitimate interests as our legal basis. Under certain circumstances, we may have compelling legitimate grounds that allow us to continue processing your Personal Data.
9.2.2 to withdraw consent – insofar as our processing of your Personal Data is based on your consent, you have the right to withdraw consent at any time.
9.2.3 to access – you have the right to request access to your Personal Data.
9.2.4 to rectification – you have the right to request rectification of the Personal Data that we hold about you.
9.2.5 to deletion – you have the right to request deletion of your Personal Data. This enables you to ask us to delete or remove Personal Data in certain circumstances.
9.2.6 to restriction – you have the right to request restriction of processing of your Personal Data.
9.2.7 to data portability – in some cases, you have the right to request to transfer your Personal Data to you or to a third party of your choice.
The exercise of the aforementioned rights is free of charge and can be carried out by contacting us at firstname.lastname@example.org.
Before responding to your request, we will verify your identity and/or ask you to provide us with more information to respond to your request, if we have any doubts about your identity. We will do our best to respond to your request within one month, unless your request is particularly complex (for example if your request concerns a large amount of sensitive data). In such a case, we will inform you of the need to extend this response time by two additional months.
9.3 You have the right to file a complaint to the competent supervisory authority, if you think your rights have been violated under the GDPR. In Lithuania, this is the Data Protection Inspectorate (VDAI).
10.1 We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your Personal Data to those employees, agents, contractors and other third parties on a business need to know basis. They will only process your Personal Data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.