Privacy Policy
I. INTRODUCTION
This Nexo Privacy Policy (the “Privacy Policy”) governs the
privacy relations between you (“Client” or
“you”) and any holding company, subsidiary or entity
belonging to the Nexo group of companies (“Nexo” or
“we”), in regard to how we process and protect your
personal data as you use the Nexo Services provided on any Nexo website,
including https://nexo.com/ (the
“Website”), mobile application(s), Nexo application
programming interfaces (“APIs”) or third party applications relying on our
API (together, our “Apps”) a and any other official Nexo communication
channel including the content and services made available on or through
the same, and any updates, upgrades, and versions thereof, and constitutes
a legally binding agreement (the “Agreement”) between the
parties. We encourage you to seek out and read the Privacy Policy to
understand how the information that we collect about you is used and
protected.
The Privacy Policy is reviewed regularly to ensure that any new services or
updates, as well as any changes to our business model and practices are
taken into consideration. We will alert you of material changes by, for
example, placing a notice on the Website, the Nexo Platform and/or by
sending you an email. Your continued use of the Nexo Platform after we make
changes is deemed to be acceptance of those changes, so please review the
Privacy Policy periodically for updates.
Unless stated otherwise herein, references shall be made to the
Nexo Services General Terms and Conditions, Nexo Crypto Credit General
Terms and Conditions, Nexo Earn Interest Product General Terms and
Conditions, Nexo Exchange Service General Terms and Conditions, Nexo
Cookies Policy,and any other terms and conditions governing the relevant Nexo’s service
(jointly the “Nexo General Terms”),for the access to the
Nexo Platform and all Nexo Services, and all the defined terms, used in this
Privacy Policy, shall have the same meaning as the one given to them in the
Nexo General Terms as the case may be.
II. DEFINITIONS
-
Controller means any holding company, subsidiary or
entity belonging to the Nexo group of companies, which may have the
capacity of a personal data controller for the purpose of this Privacy
Policy;
-
Processor means a natural or legal person, public
authority, agency or other body which processes personal data when
it processes data on behalf of the Controller;
-
Nexo Platform means any Nexo website, mobile
application(s) and any other official Nexo communication channel,
including the content and services made available on or through the
same, and any updates, upgrades, and versions thereof;
-
Personal Data means any information relating to an
identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier or
to one or more factors specific to that natural person;
-
Privacy Laws means any applicable personal data
protection legislation;
-
Processing means any operation or set of operations
which is performed on Personal Data or on sets of Personal Data.
III. INFORMATION WE COLLECT
Nexo may collect the following types of Personal Data when you visit the
Website, the Apps, register on the Nexo Platform, use Nexo Services, and
when you interact and communicate with Nexo on Website or through Apps:
1. User-provided information:
-
Identification information: full name, personal
identification number, date, place and/or country of birth, country of
residence, copies of your identification document (passport, ID or
driver's licence) - front and back; gender, email address, PEP status
(Politically Exposed Persons), indicators of your social status or
official position held, sanctions status;
-
Contact and communication information: permanent and
current address, telephone number, social media profiles, tags and
handles, messages in any social platform or communication channel or
medium;
-
Labour status: occupation, industry, employment status;
-
Financial information: bank account number, digital
asset wallet, source of funds, source of crypto, transaction history,
assets on the Nexo Platform;
-
Biometric data: Facial image data (photos of face
including selfie images and photo or scan of face on the ID document),
Biometric data (numeric facial features based on photos or videos for
verification of identity);
-
Other information: any information that you provide to
Nexo at your own discretion.
2. Information we collect automatically
When you visit the Nexo Platform, we automatically collect the following
information:
-
Technical information, including the information about your device,
information related to the network, software and the network connection
with internet, information ensuring your access to your Nexo Account,
type and version of your browser, setting of the time zone, type and
version of the browser extensions, operating system and platform, screen
resolution, geolocation, font coding;
-
Information about your website visits, including full history of your
visits from the Unified Resource Locator (URL) to, via or from the Nexo
Platform (including date and hour of such visits); consent given to the
Terms and Conditions and the Cookie banner; services which you searched
for or have seen; forwarding/initial webpages; files, you have seen on
our Nexo Platform (e.g. HTML pages, graphics, others), time for page
answer, uploading mistakes of the webpage, access time for the different
pages, information for the interaction of the webpage (like clicking,
moving the cursor, others) and the ways for getting out of the page. For
additional information please see our
Cookies Policy;
-
Information generated by using Nexo interactive online chat service made
available in connection with the use of any of the Nexo Services or any
related matter, by interacting with the Digital Agents outlined in our
Chat Terms of Service. For additional information, please see the Chat
Terms of Service.
-
Information generated by using Nexo Services, including assets on the
Nexo Platform, account status, loyalty level, transaction history,
activity log, IP log, geolocation.
3. Information we get from third parties
-
Nexo may receive Personal Data about you from third-parties in their
capacity of Processors (such as SumSub LTD), subject to a Data Processing
Agreement in place between Nexo and such Processors, in the context of
account creation and verification, and during the regular due diligence
processes, in compliance with its statutory and/or legal obligations,
and the provision of contractual obligations in relation to the
requested services. If you require more information about which of
your Personal Data is processed by SumSub on behalf, please visit
SumSub's Privacy Policy - KYC/KYB Services Provider.
-
Apart from the information above, Nexo does not request and/or collect
any Personal Data about you from third parties.
Please note that if you refuse to provide Personal Data when requested,
especially where we need to collect it by law, or under the terms of a
contract we have or are looking to enter into with you, we may not be able
to perform the relevant contract, including the ability to offer or continue
to provide our services to you.
IV. PROCESSING PURPOSES
Nexo may process your Personal Data only in accordance with the applicable
Privacy Laws and this Privacy Policy for the following purposes:
-
Identification and verification: to process your
application and to provide services to you, to verify your identity
(this may also include the use of biometric technologies), including
to evidence and validate your presence at the time of your identity
verification and authentication, as may be required through the delivery
of our services;
-
Transaction services: to accept and process orders,
process payments, and communicate with you about orders, services, and
promotional offers;
-
Recommendations and personalization: to personalise
your experience and to allow us to deliver the type of content and
service offerings in which you are most interested, including to save
your preferences and login information, and to provide customised
content;
-
Continuous improvement of the Nexo Platform: we use
your Personal Data to provide functionalities on, analyse performance,
fix errors, and improve the usability and effectiveness of the Nexo
Platform; to maintain the quality and safety of our services; for
internal quality control purposes including debugging to identify and
repair errors that impair existing intended functionality; to identify
and analyse service usage metrics and/or trends (e.g. pages visited,
functions used, etc.) and for data analysis, including for research,
audit, reporting or other business operation purposes;
-
Compliance with applicable legislation: in certain
cases, we collect and use your Personal Data to comply with Privacy Laws
and other local and international applicable industry laws and
regulations;
-
Communication: we use your Personal Data to communicate
with you in relation to your access to the Nexo Platform and for the
provision of Nexo Services, as well as for informing you regarding any
changes to Nexo, our services or our contractual relationship;
-
Fraud prevention: we process your Personal Data to
monitor and detect security incidents, to protect against malicious,
deceptive, fraudulent or illegal activity, including money laundering,
terrorism financing and other criminal activities and hold those
responsible for that activity;
-
Marketing purposes: we may use your Personal Data to
send you marketing communications by email or other agreed forms
(including social media campaigns), to ensure you are always kept
up-to-date with Nexo’s latest products and services. Any marketing
communications shall include an option to unsubscribe from the mailing
lists;
-
Purposes for which we seek your consent: we may also
ask for your consent to process your Personal Data for a specific
purpose that we communicate to you. In such cases, when you consent to
Processing for a specified purpose, you may withdraw your consent at any
time, and we will cease Processing your Personal Data for that purpose;
-
For any other purposes arising from the activities
listed above, not prohibited by law.
V. LEGAL BASIS FOR PROCESSING
To achieve the purposes listed above, Nexo collects and processes your
Personal Data in a legitimate and transparent manner under the Privacy Laws,
and namely:
-
for the purpose of concluding and/or implementing a contract with you;
- to fulfil our obligations under the applicable legislation;
-
for the purposes of our legitimate interests, except when your interests
and rights take precedence over Nexo’s legitimate interests; or
-
based on your consent, where necessary - in the event your consent is
required, Personal Data Processing shall commence only after receipt of
such consent.
VI. AUTOMATED DECISION MAKING AND PROFILING
Automated decision making is the ability to make decisions by technological
means without human involvement. We use automated decision making, for
example, because it:
-
allows greater consistency and fairness in the decision-making process
(e.g., it helps reduce the potential for human error or discrimination);
-
creates better customer experience and facilitates your understanding
of the Nexo Services by using innovative Digital Agents technology;
-
enables delivery of decisions within a shorter time frame than a
human-based process, improving the efficiency of the process;
- reduces the risk of clients failing to meet loan repayments.
Automated decisions can be based on any type of data, for example:
-
data provided directly by the Data Subject to Nexo or its identity
verification service providers;
-
data observed about the Data Subject (such as location data collected
via the Nexo Platform);
-
inferred or derived data (your credit loan-to-value ratio as determined
by the Nexo Oracle);
VII. THIRD PARTIES
We may disclose your Personal Data to other selected third parties outside
of the Nexo group - service providers for the performance of our contractual
obligations with you, and for other purposes described in this Privacy Policy
and the Nexo General Terms.
We may share your Personal Data with the following categories of external
third parties:
-
Banking and payment network service providers to enable you to upload
funds, make and receive payments and withdraw funds; these providers
include banks, acquirers, alternative payment providers, card providers
and account information service providers;
-
Providers of risk assessment and fraud detection, know your customer
checks, anti-money laundering and counter-terrorism financing services;
-
Third-party providers of AI technology according to the Chat Terms of
Service;
- Online advertising platforms for the purposes of marketing;
-
Analytics and search engines providers that assist us in the improvement
and optimisation of the Nexo Platform;
-
Cloud service providers who among other things provide us with the
necessary infrastructure to safely store and manage your Personal Data;
-
Auditors, advisors, legal representatives and similar agents in
connection with the advisory services they provide to us, subject to the
necessary confidentiality obligations;
-
Third parties at any time when we are legally required to disclose your
Personal Data and your use of our services, which include but are not
limited to competent law enforcement bodies, regulatory, government
agencies, courts or other third parties (e.g., the police, the financial
supervisory authorities, the tax and social security agencies, as well
as courts). Such disclosure shall be subject to our good faith and
belief that it is necessary to protect your safety or the safety of
others, to protect our rights, to prevent and investigate fraud, or to
respond to a government request.
You should also note that the Website and the Apps include links to third-party
websites, plug-ins, handles and applications. Clicking on those links or
enabling those connections may allow third parties to collect or share your
Personal Data. Nexo does not control these third-party websites and, to the
extent that such third parties are not Processors on our behalf, is not
responsible for their personal data processing activities. When you leave the
Website, we encourage you to read the privacy policy/notice of every
third-party website you visit.
VIII. TRANSFERS
When transferring Personal Data, we are committed to ensuring that the data
importer maintains materially similar security measures for storage and
Processing of Personal Data as we do. Your Personal Data may be processed,
stored and transferred to third parties in the manner and amount as provided
in this Privacy Policy, the contract(s) concluded between you and us, and
consents you give to us from time to time.
Locations outside your country of residence may be used for Processing
(including storage) the data we collect about you. The information we
transfer may be shared with our service providers. It may include such
processes as Processing a payment, data analysis (including fraud, risk and
compliance checks), collecting data on use of our websites and services, for
advertising purposes (including behavioural advertising), or offering
support for your service or product needs. We take all reasonable action to
ensure the safety of your Personal Data in agreement with this Privacy
Policy and applicable local and international legislation.
You can find below a non-exhaustive list of the bases of international
transfers of Personal Data that may apply depending on your citizenship:
-
Any international transfers of European Union (EU)
citizens’ data outside the EU or European Economic Area
(EEA) shall be based on the 2021 European Commission
Standard Contractual Clauses, unless the European Commission has issued
an Art. 45 GDPR adequacy decision for the importing country. More
information on EU/EEA transfers is available on the European
Commission’s
website;
-
Any international transfers of United Kingdom (UK)
citizens’ data outside the UK shall be based on the 2010 European
Commission Standard Contractual Clauses, unless the United Kingdom has
issued an adequacy regulation for the importing country. More
information on UK transfers is available on the Information
Commissioner’s Office
website.
IX. DIRECT MARKETING
Subject to the applicable legislation, Nexo may from time to time send
direct marketing materials promoting its services and/or activities to its
existing clients and Website users who have subscribed for updates. You may,
at any time, opt out of such communications by utilising the marketing
preferences centre provided with each direct marketing communication. You
may also opt out of direct marketing by communicating your preferences to
Nexo’s DPO at dpo@nexo.com, who will add
to the marketing suppression list in due course and confirm to have done so
in writing.
X. DATA SECURITY
Personal Data collected by Nexo through the Nexo Platform or otherwise is
kept on secure servers, hosted in a cloud environment in the EU. Nexo is ISO
27001 certified and uses security measures appropriate to the provision of
the relevant Nexo Services, such as reasonable administrative, technical,
personnel, and physical measures to protect your Personal Data from being
accidentally lost, used or accessed in an unauthorised way, altered or
disclosed. We may use network safeguards such as firewalls and data
encryption. In addition, we provide a limited need-to-know access to your
Personal Data to those employees, agents, contractors, and other third
parties who require access to fulfil their legal obligations. They will only
process your Personal Data on our instructions, and they are subject to a
duty of confidentiality. Those with access to your Personal Data are
carefully screened, periodically re-evaluated, and are required to keep all
your Personal Data confidential.
In the event of a security breaching leading up to the unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, your Personal
Data as transmitted, stored or otherwise Processed by Nexo, we shall inform
you, without undue delay, where that Personal Data breach is likely to
result in a high risk to your rights and freedoms in order to allow you to
take the necessary precautions. Any actual personal data breach will also be
reported to the relevant data protection authority.
If you want to know more about Nexo’s security practice, please visit our
Website’s security panel by clicking
here.
To help us protect your privacy, you should maintain the secrecy of your
username and password used to log in to the Nexo Platform. Please note that
a Nexo employee will never ask for your credentials. Nexo uses regular
malware scanning.
XI. STORAGE AND RETENTION
Personal Data is stored for variable periods of time depending on the category,
of Personal Data, processing purposes and its usage:
-
Some information might be deleted automatically based on specific
schedules or via script upon request. If you have opted out of receiving
marketing communications, we will hold your email address on our
suppression list so that we know you do not want to receive these
communications;
-
Other data, such as account information, might be retained for a longer
period based on the contract you have with us, in accordance with
relevant industry standards or guidelines, and in accordance with our
legitimate business interests, including prevention of promotion abuse
and similar activities;
-
We might further retain information for business practises based on our
legitimate interest such as product and service improvement, fraud
prevention, record-keeping, in the event of complaint or enforcing our
legal rights;
-
We might have to retain a certain set of Personal Data to comply with
our audit, reporting and other legal and regulatory obligations
(including but not limited to the FATF recommendations and the relevant
anti-money laundering legislation which oblige us to retain your Personal
Data for a period of five (5) years after the end of the relationship
between us or the date of the occasional transaction, which retention
period may be further extended in certain cases if so provided by and
in accordance with the applicable legislation).
-
Subject to Data Processing Agreements concluded by and between Nexo and
third party service providers in their capacity of Processors on behalf
of Nexo, such Processors undertake to store and retain Personal Data in
accordance with the terms contained in this Privacy Policy.
XII. YOUR RIGHTS
Depending on the jurisdiction you access the Nexo Platform from, your
residency, or your citizenship, you may have one or more of the following
Data Subject rights. Upon receipt of your requests at the contact details
provided below, Nexo shall reply without undue delay and within the
applicable statutory deadlines (as a rule of thumb, thirty (30) days
extendable by two further months as per Art. 12 GDPR unless otherwise
provided for by other applicable Privacy Laws).
List of Rights
To help protect your privacy and security, we will take reasonable steps to
verify your identity before granting access to your Personal Data. We will
make reasonable attempts to promptly investigate, comply with, or otherwise
respond to your requests as may be required by applicable law. Depending
upon the circumstances and the request, we may not be permitted to provide
access to Personal Data or otherwise fully comply with your request; for
example, producing your information may reveal the identity of someone else.
We reserve the right to deny your requests where, at Nexo’s sole discretion,
they may be manifestly unfounded or excessive, or otherwise unacceptable
under applicable law.
Please note that any request with regards to Personal Data, which is
publicly available, should be submitted directly to the third-party supplier
of the information.
You will not have to pay a fee to access your Personal Data (or to exercise
any of the other rights). However, we may charge a reasonable fee if your
request is manifestly unfounded or excessive.
XIII. CONTACT US
We value your privacy, if you have any comments or questions about this Privacy
Policy, Nexo's handling of your Personal Data, a possible Personal Data Breach,
or to exercise your rights, please send an email to Nexo's Data Protection
Officer (DPO). Nexo will treat your requests or complaints confidentially.
Data Protection Officer (DPO):
dpo@nexo.com.
Please include the following information in your email:
- Full name;
-
Preferred communication channel (if none selected, default is email);
- Country of residence and access;
-
If a request to exercise your rights, the type of your request (access,
portability, deletion, etc.);
- Detailed description of the request.
If you do not think we have been able to resolve your complaint, you can
lodge a complaint directly to your data protection authority. For example, a
list of all European supervisory bodies is available
here.
XIV. MISCELLANEOUS
Our services are not directed to persons under the age of 18 (eighteen)
years old or of legal age to enter into contractual relations with Nexo
(whichever is later) hereinafter “Children”,
“Child” and we do not knowingly collect or process the
Personal Data of Children. If we learn that we have inadvertently gathered
Personal Data from a Child, we will take legally permissible measures to
remove that information from our records. Nexo will require the user to
close his or her account and will not allow the use of our services.
If you are a parent or guardian of a Child, and you become aware that a
Child has provided Personal Data to us, please contact us at
dpo@nexo.com immediately.