- Nexo Platform means any Nexo website, mobile application(s) and any other official Nexo communication channel, including the content and services made available on or through the same, and any updates, upgrades, and versions thereof;
- Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or to one or more factors specific to that natural person;
- Privacy Laws means any applicable personal data protection legislation;
- Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data.
III. INFORMATION WE COLLECT
Nexo may collect the following types of Personal Data when you visit the Website, register on the Nexo Platform, use Nexo Services, and when you interact and communicate with Nexo through any media or channel:
1. User-provided information:
- Identification information: full name, personal identification number, date, place and/or country of birth, your picture and/or selfie, pictures of your identification document (passport, ID or driver's licence) - front and back; email address, PEP status (Politically Exposed Persons), statements of your social status or official position held, sanctions status;
- Contact and communication information: permanent and current address, telephone number, social media profiles, tags and handles, messages in any social platform or communication channel or medium;
- Labour status: occupation, industry, employment status;
- Financial information: bank account number, digital asset wallet, source of funds, source of crypto, transaction history, assets on the Nexo Platform;
- Other information: any information that you provide to Nexo at your own discretion.
2. Information we collect automatically
When you visit the Nexo Platform, we automatically collect the following information:
- Technical information, including the information about your device, information related to the network, software and the network connection with internet, information ensuring your access to your Nexo Account, type and version of your browser, setting of the time zone, type and version of the browser extensions, operating system and platform, screen resolution, geolocation, font coding;
- Information about your website visits, including full history of your visits from the Unified Resource Locator (URL) to, via or from the Nexo Platform (including date and hour of such visits); consent given to the Terms and Conditions and the Cookie banner; services which you searched for or have seen; forwarding/initial webpages; files, you have seen on our Nexo Platform (e.g. HTML pages, graphics, others), time for page answer, uploading mistakes of the webpage, access time for the different pages, information for the interaction of the webpage (like clicking, moving the cursor, others) and the ways for getting out of the page. For additional information please see our Cookies Policy;
- Information generated by using Nexo Services, including assets on the Nexo Platform, account status, loyalty level, transaction history, activity log, IP log, geolocation.
3. Information we get from third parties
- Nexo gets information about you from third parties only in the context of account creation and verification, and during the regular due diligence processes, in compliance with its statutory obligations. More information about third parties and our identity verification providers is available in Section VII Third Parties.
- Apart from the information above, Nexo does not request and/or collect any Personal Data about you from third parties.
Please note that if you refuse to provide Personal Data when requested, especially where we need to collect it by law, or under the terms of a contract we have or are looking to enter into with you, we may not be able to perform the relevant contract, including the ability to offer or continue to provide our services to you.
IV. PROCESSING PURPOSES
- Identification and verification: to process your application and to provide services to you, to verify your identity (this may also include the use of biometric technologies);
- Transaction services: to accept and process orders, process payments, and communicate with you about orders, services, and promotional offers;
- Recommendations and personalization: to personalise your experience and to allow us to deliver the type of content and service offerings in which you are most interested, including to save your preferences and login information, and to provide customised content;
- Continuous improvement of the Nexo Platform: we use your Personal Data to provide functionalities on, analyse performance, fix errors, and improve the usability and effectiveness of the Nexo Platform; to maintain the quality and safety of our services; for internal quality control purposes including debugging to identify and repair errors that impair existing intended functionality; to identify and analyse service usage metrics and/or trends (e.g. pages visited, functions used, etc.) and for data analysis, including for research, audit, reporting or other business operation purposes;
- Compliance with applicable legislation: in certain cases, we collect and use your Personal Data to comply with Privacy Laws and other local and international applicable industry laws and regulations;
- Communication: we use your Personal Data to communicate with you in relation to your access to the Nexo Platform and for the provision of Nexo Services, as well as for informing you regarding any changes to Nexo, our services or our contractual relationship;
- Fraud prevention: we process your Personal Data to monitor and detect security incidents, to protect against malicious, deceptive, fraudulent or illegal activity, including money laundering, terrorism financing and other criminal activities and hold those responsible for that activity;
- Marketing purposes: we may use your Personal Data to send you marketing communications by email or other agreed forms (including social media campaigns), to ensure you are always kept up-to-date with Nexo’s latest products and services. Any marketing communications shall include an option to unsubscribe from the mailing lists;
- Purposes for which we seek your consent: we may also ask for your consent to process your Personal Data for a specific purpose that we communicate to you. In such cases, when you consent to Processing for a specified purpose, you may withdraw your consent at any time, and we will cease Processing your Personal Data for that purpose;
- For any other purposes arising from the activities listed above, not prohibited by law.
V. LEGAL BASIS FOR PROCESSING
To achieve the purposes listed above, Nexo collects and processes your Personal Data in a legitimate and transparent manner under the Privacy Laws, and namely:
- for the purpose of concluding and/or implementing a contract with you;
- to fulfil our obligations under the applicable legislation;
- for the purposes of our legitimate interests, except when your interests and rights take precedence over Nexo’s legitimate interests; or
- based on your consent, where necessary - in the event your consent is required, Personal Data Processing shall commence only after receipt of such consent.
VI. AUTOMATED DECISION MAKING AND PROFILING
Automated decision making is the ability to make decisions by technological means without human involvement. We use automated decision making, for example, because it:
- allows greater consistency and fairness in the decision-making process (e.g., it helps reduce the potential for human error or discrimination);
- enables delivery of decisions within a shorter time frame than a human-based process, improving the efficiency of the process;
- reduces the risk of clients failing to meet loan repayments.
Automated decisions can be based on any type of data, for example:
- data provided directly by the Data Subject to Nexo or its identity verification service providers;
- data observed about the Data Subject (such as location data collected via the Nexo Platform);
- inferred or derived data (your credit loan-to-value ratio as determined by the Nexo Oracle);
VII. THIRD PARTIES
We may share your Personal Data with the following categories of external third parties:
- Banking and payment network service providers to enable you to upload funds, make and receive payments and withdraw funds; these providers include banks, acquirers, alternative payment providers, card providers and account information service providers;
- Providers of risk assessment and fraud detection, know your customer checks, anti-money laundering and counter-terrorism financing services;
- Online advertising platforms for the purposes of marketing;
- Analytics and search engines providers that assist us in the improvement and optimisation of the Nexo Platform;
- Cloud service providers who among other things provide us with the necessary infrastructure to safely store and manage your Personal Data;
- Auditors, advisors, legal representatives and similar agents in connection with the advisory services they provide to us, subject to the necessary confidentiality obligations;
- Third parties at any time when we are legally required to disclose your Personal Data and your use of our services, which include but are not limited to competent law enforcement bodies, regulatory, government agencies, courts or other third parties (e.g., the police, the financial supervisory authorities, the tax and social security agencies, as well as courts). Such disclosure shall be subject to our good faith and belief that it is necessary to protect your safety or the safety of others, to protect our rights, to prevent and investigate fraud, or to respond to a government request.
You can find below a non-exhaustive list of the bases of international transfers of Personal Data that may apply depending on you citizenship:
- Any international transfers of European Union (EU) citizens’ data outside the EU or European Economic Area (EEA) shall be based on the 2021 European Commission Standard Contractual Clauses, unless the European Commission has issued an Art. 45 GDPR adequacy decision for the importing country. More information on EU/EEA transfers is available on the European Commission’s website;
- Any international transfers of United Kingdom (UK) citizens’ data outside the UK shall be based on the 2010 European Commission Standard Contractual Clauses, unless the United Kingdom has issued an adequacy regulation for the importing country. More information on UK transfers is available on the Information Commissioner’s Office website.
IX. DIRECT MARKETING
Subject to the applicable legislation, Nexo may from time to time send direct marketing materials promoting its services and/or activities to its existing clients and Website users who have subscribed for updates. You may, at any time, opt out of such communications by utilising the marketing preferences centre provided with each direct marketing communication. You may also opt out of direct marketing by communicating your preferences to Nexo’s DPO at [email protected], who will add to the marketing suppression list in due course and confirm to have done so in writing.
X. DATA SECURITY
Personal Data collected by Nexo through the Nexo Platform or otherwise is kept on secure servers, hosted in a cloud environment in the EU. Nexo is ISO 27001 certified and uses security measures appropriate to the provision of the relevant Nexo Services, such as reasonable administrative, technical, personnel, and physical measures to protect your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We may use network safeguards such as firewalls and data encryption. In addition, we provide a limited need-to-know access to your Personal Data to those employees, agents, contractors, and other third parties who require access to fulfil their legal obligations. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. Those with access to your Personal Data are carefully screened, periodically re-evaluated, and are required to keep all your Personal Data confidential.
In the event of a security breaching leading up to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your Personal Data as transmitted, stored or otherwise Processed by Nexo, we shall inform you, without undue delay, where that Personal Data breach is likely to result in a high risk to your rights and freedoms in order to allow you to take the necessary precautions. Any actual personal data breach will also be reported to the relevant data protection authority.
If you want to know more about Nexo’s security practice, please visit our Website’s security panel by clicking here.
To help us protect your privacy, you should maintain the secrecy of your username and password used to log in to the Nexo Platform. Please note that a Nexo employee will never ask for your credentials. Nexo uses regular malware scanning.
XI. STORAGE AND RETENTION
Personal Data is stored for variable periods of time depending on the category of Personal Data and its usage:
- Some information might be deleted automatically based on specific schedules or via script upon request. If you have opted out of receiving marketing communications, we will hold your email address on our suppression list so that we know you do not want to receive these communications;
- Other data, such as account information, might be retained for a longer period based on the contract you have with us, in accordance with relevant industry standards or guidelines, and in accordance with our legitimate business interests, including prevention of promotion abuse and similar activities;
- We might further retain information for business practises based on our legitimate interest such as product and service improvement, fraud prevention, record-keeping, in the event of complaint or enforcing our legal rights;
- We might have to retain a certain set of Personal Data to comply with our audit, reporting and other legal requirements (including but not limited to the FATF recommendations and the relevant anti-money laundering legislation which oblige us to retain your Personal Data for a period of five (5) years after the end of the relationship between us, which retention period may be further extended in certain cases if so provided by and in accordance with the applicable legislation).
XII. YOUR RIGHTS
Depending on the jurisdiction you access the Nexo Platform from, your residency, or your citizenship, you may have one or more of the following Data Subject rights. Upon receipt of your requests at the contact details provided below, Nexo shall reply without undue delay and within the applicable statutory deadlines (as a rule of thumb, thirty (30) days extendable by two further months as per Art. 12 GDPR unless otherwise provided for by other applicable Privacy Laws).
List of Rights
- Access – you have a right to obtain confirmation as to whether or not Personal Data concerning you is being Processed, and, where that is the case, access to information about the Processing, including the purposes of the Processing, the categories of Personal Data, the recipients of the Personal Data, and its retention period.
- Rectification – you have the right to correct inaccurate Personal Data and/or complete incomplete Personal Data.
- Deletion/Erasure – you have the right to request erasure of Personal Data (the right to be forgotten). Nexo shall take reasonable steps to inform any other controllers also Processing the data of your request to have your Personal Data deleted, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be set out in Section 11 above.
- Restrict Processing – you have the right to restrict the Processing of Personal Data, under certain circumstances.
- Portability – you have the right to data portability to:
- receive a copy of the Personal Data in a structured, commonly used and machine-readable format;
- transmit the Personal Data to another data controller (including directly by another data controller where possible).
- Object to Processing – you have the right to object to Processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
- Object to automated decision making – you have the right to not be subject to automated decision making, including profiling, which has legal or other significant effects on you.
- Withdraw consent – you may, at any time, withdraw your consent to Nexo’s Processing when the Processing is based solely on your consent.
To help protect your privacy and security, we will take reasonable steps to verify your identity before granting access to your Personal Data. We will make reasonable attempts to promptly investigate, comply with, or otherwise respond to your requests as may be required by applicable law. Depending upon the circumstances and the request, we may not be permitted to provide access to Personal Data or otherwise fully comply with your request; for example, producing your information may reveal the identity of someone else. We reserve the right to deny your requests where, at Nexo’s sole discretion, they may be manifestly unfounded or excessive, or otherwise unacceptable under applicable law.
Please note that any request with regards to Personal Data, which is publicly available, should be submitted directly to the third-party supplier of the information.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is manifestly unfounded or excessive.
XIII. CONTACT US
Data Protection Officer (DPO):
Please include the following information in your email:
- Full name;
- Preferred communication channel (if none selected, default is email);
- Country of residence and access;
- If a request to exercise your rights, the type of your request (access, portability, deletion, etc.);
- Detailed description of the request.
If you do not think we have been able to resolve your complaint, you can lodge a complaint directly to your data protection authority. For example, a list of all European supervisory bodies is available here.
Our services are not directed to persons under the age of 18 (eighteen) years old or of legal age to enter into contractual relations with Nexo (whichever is later) hereinafter “Children”, “Child” and we do not knowingly collect or process the Personal Data of Children. If we learn that we have inadvertently gathered Personal Data from a Child, we will take legally permissible measures to remove that information from our records. Nexo will require the user to close his or her account and will not allow the use of our services.
If you are a parent or guardian of a Child, and you become aware that a Child has provided Personal Data to us, please contact us at [email protected] immediately.