1. Introduction

At UAB “deVere E-Money” (“deVere”, “the Company”, “we” or “us”), we are dedicated to safeguarding and preserving your privacy when using our Services or communicating electronically with us.

This Privacy Policy and our Terms of use, (together the“Policy”), provides an explanation as to what happens to any personal data that you provide the Company, or that we collect from you or other sources whilst using our Services on our mobile application deVere Vault (“App”), our websites www.devere-emoney.com, www.devere-vault.com (together the “Website”), with prepaid multicurrency MasterCard card and other online products and non-banking services (“Services”), that enable you to convert currency and make payments swiftly and in a cost-effective manner. You may choose not to provide any information to us, in which case, the Company may be unable to provide its Services to you; services such as, receiving money, sending money and exchanging currency etc.

Data Controller - UAB “deVere E-Money, UAB, company code is 304469514, the address is Technopolis Delta, J. Balčikonio str. 9 LT- 08314, Vilnius, Lithuania. The Company is the electronic money institution, authorized and regulated by the Lithuanian supervisory authority - Bank of Lithuania. The license of the Company and all activities covered by it can be checked here: www.lb.lt/en/enforcement-measures-1

All activities of the Company are regulated by the applicable laws related to the electronic money, including, but not limited to the legal acts related to the financial institutions and financial services.

The Company is collecting and using the personal data (hereinafter - “Personal data”) of its potential, existing and/or former customers, customer's employee or other parties, e.g. beneficial owners, authorised representatives, business partners, other associated parties and/or person contacting us using e-mail or other communication measures (hereinafter - “Customers” or “you”), the Company is obligated to use and process the Personal data of the Customers only in accordance with this Policy and the applicable legal acts which regulate the protection of Personal data, including the General Data Protection Regulation (2016/679) (hereinafter - “GDPR”), the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania, Law on Legal protection of personal data of the Republic of Lithuania and other applicable legal acts.

The Company updates this Policy from time to time. We will inform you in advance about the essential changes of the Policy by way of notification to your account or your email. Other than that, please review this Policy regularly. Any changes and clarifications will take effect on the date indicated in the prior notification.

2. Principles

Managing Personal Data

The Company commits to comply with the provisions of the Law on Legal Protection of Personal Data of the Republic of Lithuania and all of the other Laws and/or legal acts that are applicable, as well as the GDPR and all other legal acts of the European Union that are applicable in accordance with the Personal data protection regulations for the specific country in which our Services are provided.

The Company manages personal data in observance of the following principles:

1. Processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; ('purpose limitation');
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimization');
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; ('storage limitation');
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ('integrity and confidentiality').
7. Data processing operations are documented to prove the GDPR compliance ('accountability').

3. Information

When providing its Services or communicating electronically with you, the Company collects and processes certain data about you. This information may be provided to us by yourself, or we may collect information about you from you or other sources, as described below.

Use of Your Information

• Purposes of data processing (legal basis)	Processed data	Envisaged periods for storing and (or) deleting the data (where possible)
  Taking necessary steps to conclude Customer contracts and performing Customer contracts Legal basis: contractual obligation to perform a contract	first name; last name; e-mail address; phone number; birth date; country; city; state; address; zip code; expiry date of ID documents; citizenship	During contract term and up to 10 years after the contractual relationship ends; Personal data which has been collected in order to fulfil the obligations under the Law on Money Laundering and Terrorist Financing Prevention - in accordance with the law, generally up to 8 (eight) years.
  Carrying out legal obligations related to onboarding of Customers, provision of services to the Customers (KYC, AML, creditworthiness and financial risk assessment and similar), tax obligations, accounting requirements, archiving requirements Legal basis: statutory necessity derived from the Law on Anti-money Laundering and CTF Prevention Law on Financial Institutions Law on Electronic Money and Electronic Money Institutions Law on Payment Services	first name; last name; e-mail address; phone number; birth date; country; city; state; address; zip code; expiry date of ID documents ; citizenship; employment status; employer name; annual spending volume; wallet token number; date of registration; user connect code; time and date of last and next Ongoing Due Diligence (ODD) process and Enhanced Due Diligence (EDD) process; companion card limit; IP address; customer account reference number; opt-in/opt-out status concerning marketing activities customer type; PEP status; expected use of services; source of funds; account purpose; main payment countries; tax residency country; tax identification number; status as an undocumented account (in case the PoA is missing or unacceptable; distribution address; account status; risk score; KYC documents and other data (proof of address, proof of identity); other personal data depending on specific circumstances; transaction data (date, beneficiary details, amount and currency of transactions, IBAN, debit card number); scanned or photographed face image or image provided via identification application. Contact person of a customer (legal entity): first name; last name; mobile phone country code; phone number; e-mail address. Authorised person of a customer (legal entity): position; citizenship; first name; last name; date of birth; mobile phone country code; phone number; e-mail address; address; status as a U.S. citizen, tax resident, Green Card Holder, or being born in U.S.; PEP status; proof of address. Executive (director, representative) of a customer (legal entity): position; citizenship; first name; last name; date of birth; status as a U.S. citizen, tax resident, Green Card Holder, or being born in U.S.; PEP status; address; ID document (document type, document number, issuing country; date of issue; date of expiry), incl. photo of the document; proof of address. Shareholder of a customer (legal entity): citizenship; first name; last name; date of birth; share percentage; status as a U.S. citizen, tax resident, Green Card Holder, or being born in U.S.; PEP status; address; e-mail address; phone number; status as an UBO; source of wealth; tax number; tax country; status as an executive, director, representative of the customer; ID document (document type, document number, issuing country; date of issue; date of expiry), incl. photo of the document; proof of address; proof of source of funds.	During contract term and up to 10 years after the contractual relationship ends; Personal data which has been collected in order to fulfil the obligations under the Law on Money Laundering and Terrorist Financing Prevention - in accordance with the law, Generally, up to 8 (eight) years.
  Communication - customer service Legal basis: overriding legitimate interest of the Company to provide good customer service	Email; Account information; Name, last name; Telephone.	Data is stored for up to 6 months after the Customer claim is resolved.
  Direct marketing Legal basis: consent (opt-out). Direct marketing is based on two separate consents (opt-out) given via the application.	Name; E-mail address; Opt-in/opt-out status.	Data is stored for as long as the Customer‘s consent is valid (until withdrawn), unless personal data is needed for other processing purposes (such as performance of a contract).

4. Direct Marketing

Due to the respect of your rights granted to you as data subject, please find the information how we use your data for direct marketing purposes.

As a deVere E-Money client, we will provide you with information on products and services that we offer, or a new promotion that we're running that is related to your Vault Business account only if you agree to receive direct marketing communication (“opt-in”). These communications may be via email or in-app message, which can be viewed in the notification center. The only information we will use to contact you is that which you provided when first signing up for Vault app or Vault Business platform, that is, your first name and email address. If you do not want to receive these messages from deVere E-Money any longer, you can “opt out” at any time by navigating to the Vault app > Settings > Contact Preferences or inform our DPO at [email protected].

We provide a clear, free-of-charge and easily realizable possibility for you at any time not to give your consent or to withdraw your given consent for sending proposals put forward by us. We shall state in each notification sent by e-mail that you are entitled to object to the processing of the Personal Data or refuse to receive notifications from us. You shall be entitled to refuse to receive notifications from us by clicking on the respective link in each e-mail notification. You also have a right to withhold your consent at the time of setting up your account with us.

Please be informed that the Company is part of the wider deVere Group of Companies and you may at any time request to receive marketing emails and/or calls about products and services that they offer. The list of the deVere Group of Companies are publicly available here: www.devere-group.com/globalpresence. If you wish to receive such marketing emails and/or calls about products and services, please choose the “opt-in” within the Vault Business app > Settings > Contact Preferences. Only in case you choose to receive direct marketing e-mails or calls about the services and products that deVere Group of Companies are offering, the Company will share with them your first name and email address. Please note that neither the Company, nor the deVere Group of Companies share your personal data with third-party organizations. You can stop receiving marketing emails and/or calls from deVere Group of Companies by “opt out” at any time by navigating to the Vault Business app > Settings > Preferences; or by informing our DPO at [email protected].

Please note that if you choose not to agree to receive these marketing messages offered by us, by deVere Group Companies or both, this will not affect the services in any way.

5. Our identification tools

In order to perform your identity verification, the Company is using the services provided by our partner Ondato, UAB. The Service Provider takes the photo images or video records of your face and your ID document that you provide through a mobile application or a dedicated website using the camera. For more information on Ondato, UAB please read its Privacy Policy www.ondato.com/privacy-policy.

Ondato, UAB solution is used for comparing live photographic data or video record of yourself and your ID document, to comply with legal obligations (e. g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania and other fraud and crime prevention purposes) and risk management obligations.

The result of the face similarity (match or mismatch) will be retained for as long as it is necessary to carry out verification and for the period required by anti-money laundering laws.

The Company ensures that your face similarity check is a process of comparing data acquired at the time of the verification, i. e. this is a one-time user authorization by comparing person's photos to each other. Your facial template is not created, recorded or stored. It is not possible to regenerate the raw data from retained information. This process shall allow us to verify your identity more precisely and make the process quicker and easier to execute. If you do not feel comfortable with this identification method you may contact us by email [email protected] for an alternative way to identify yourself.

6. Automated Decision Making

Automated decision-making refers to the processing using, for example, software code or an algorithm, which does not require human intervention. Currently we are not using automated decision-making technologies. However, if we decide to do so, we will provide you with further information about the logic involved, as well as the significance and the envisaged consequences to you.

Please be informed that you can request a manual review of the accuracy of an automated decision in case you are not satisfied with it and you have the right not to be subject to a decision based solely on such automated processing.

7. Retaining Your Personal Data

Please be informed that your Personal data is stored for no longer period than it is necessary for the purposes for which it was collected or for the period set forth by applicable laws.

If the legislation of the Republic of Lithuania does not provide any period of retention of Personal Data, this period shall be determined by us, taking into account the legitimate purpose of the data retention, the legal basis and the principles of lawful processing of Personal Data.

Please also be informed that under some circumstances, your Personal Data might be stored longer than it is indicated in the table above, mainly:

1. in case it is necessary in order for us to defend ourselves against claims, demands or action and in order to exercise our rights in a proper way;
2. in case there is a reasonable suspicion of an unlawful act that is being investigated;
3. in case your Personal Data is necessary for the proper resolution of a dispute/complaint;
4. under other statutory grounds.

8. Personal Data Transfer

We may transfer data that we collect from you to locations outside of the European Union and European Economic Area for processing and storing. Also, it may be processed by staff operating outside the European Union and European Economic Area who work for us, for deVere Group of Companies or for one of our partners, acting and processing data on behalf of deVere Group of Companies according to the data processing agreements signed between the parties. The Company will take all reasonable steps to make sure that your data is treated securely and in agreement with this Privacy Policy. These data transfers are usually based on adequacy decisions by the European Commission (Art. 45 GDPR). Where this is not the case, e.g., when it comes to transfers to the USA, India the data transfers are especially based on EU Standard contractual clauses in line with the templates adopted by the European Commission (Art. 46 paragraph 2 lit. c, paragraph. 5 sentence. 2 GDPR), or on a derogation according to Art. 49 GDPR. You may ask deVere to provide you a copy by contacting the deVere Data Protection Officer at [email protected].

Data that is provided to us is stored on our secure servers located in Netherlands. Details relating to any transactions entered on our Website / App will be encrypted to ensure its safety.

The transmission of information via the internet is not completely secure and hence the Company cannot guarantee the security of data sent to us electronically and transmission of such data is therefore entirely at your own risk. Where we have given you (or where you have chosen) a password so that you can access certain parts of our site, you are responsible for keeping this password confidential.

9. Disclosing Your Information

We may disclose and/or transfer your Personal data only in accordance with legal regulations and the principles of confidentiality to the following categories of recipients:

1. the deVere Group, our external partner companies, agents or intermediaries who are a necessary part of the provision of our products and Services;
2. external service providers that help us to provide Services for you;
3. third parties where we have a duty to or are permitted to disclose your personal information by law, mainly: governmental bodies and/or supervisory authorities (in accordance with the requirements and obligations under the provisions of legal acts concerning anti-money laundering, fraud prevention, counter terrorist financing), credit, financial, payment and/or other electronic money institutions, pre-trial investigation institutions, the State Tax Inspectorate;
4. third parties where reasonably required to protect our rights, systems and services, mainly: lawyers, bailiffs, auditors etc.;
5. service providers such as: cloud storage/servers providers, card issuing institutions, identification and verification service providers, other service providers with which we have concluded service provision agreements (e.g. companies providing services for money laundering, politically exposed persons and terrorist financing check-up, other fraud and crime preventions) or when mentioned sharing is mandatory according to applicable laws;
6. beneficiaries of transaction funds receiving the information in payment statements together with the funds of the transaction;
7. the relevant parties in case of a merger and acquisition to which the Company is a part to;
8. other entities that have a legitimate interest or the Personal data may be shared with them under the contract which is concluded between you and us.

10. Third Party Links

You might find links to third party websites on our Website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

11. Security of Your Personal Information

We have technical, administrative and physical safeguards in place to help protect against unauthorized access to, use or disclosure of your information we collect or store. Our employees are trained on the importance of protecting privacy and on the proper access to, use and disclosure of customer information. Under our practices and policies, access to sensitive personally identifiable information is authorized only for those who have a business need for such access.

Although we work hard to protect your personal information that we collect and store, no website or app is 100% secure and we cannot guarantee that our safeguards will prevent every unauthorized attempt to access, use or disclose personal information.

We will inform you of any breach of personal data within the term set forth by the applicable law, when the Personal data breach is likely to result in a high risk to your rights and freedoms.

12. The rights granted to you as the data subject

You, as a data subject, shall have the right to:

1. know/be informed about the processing of your Personal data, have access to your Personal data and familiarize yourself with the processing method;
   You have the right to get information about which Personal data concerning you we process. However, this right may be restricted by legislation, protection of other persons' privacy and consideration for the Company's business concept and business practices. The Company's know-how, business secrets as well as internal assessments and material may restrict your right of access.
2. rectification of incorrect or incomplete data;
   If it turns out that we process Personal data about you that is inaccurate, you have the right to request a rectification of the Personal data. You can also request to have incomplete Personal data about you completed.
3. have any or all of your Personal data erased;
   You have the right to have any or all of your Personal data erased. Provided we do not have any continuing lawful reason to continue processing or holding your Personal data, we will make reasonable efforts to comply with your request. In certain cases, we cannot erase all of your Personal data. In such case this would be due to the fact that we need to store your Personal data due to a contractual relationship or law.
4. restriction of processing of your Personal data;
   You may also ask us to restrict processing your Personal data for a period of time. This can pertain, for example, to a situation where you believe it is unlawful for us to do so and/or data about you is inaccurate and we need to verify it. It can also pertain to a situation where you object to processing that we base on a legitimate interest. In such a case we must verify if our grounds override yours.
5. object to any use of your Personal data which is based on the legitimate interests;
   Where we rely on our or third party's legitimate interests as the legal basis for processing your Personal data, you have the right to object to us using your Personal data, unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights.
6. Personal data portability;
   In certain situations, you can ask us to transfer your Personal data to another data controller or provide directly to you in a convenient format (NOTE: applicable to Personal data which is provided by you and which is processed by automated means on the basis of consent or on the basis of conclusion and performance of the agreement).
7. withdraw your consent;
   In certain situations, where we rely on your consent as the legal basis for processing your Personal data, you may withdraw your consent at any time. In case you withdraw your consent, we will stop that particular processing, when the processing is based on such consent. However, if you withdraw your consent, our use of your Personal data before you withdraw remains lawful;
8. lodge a complaint with a supervisory authority;
   In case you consider that our processing of your Personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation, you may lodge a complaint with a supervisory authority - the State Data Protection Inspectorate. You may apply in accordance with the procedures for handling complaints that are established by the State Data Protection Inspectorate and which may be found on the website: www.vdai.lrv.lt.

We will exercise the required rights only after we receive your written request to exercise a particular right indicated above and only after confirming the validity of your identity.

If you would like to exercise the rights mentioned above, please contact us at [email protected].

Your requests shall be fulfilled or fulfilment of your requests shall be refused by specifying the reasons for such refusal within 30 (thirty) calendar days from the date of submission of the request meeting our internal rules and GDPR. The afore-mentioned time frame may be extended for 30 (thirty) calendar days by giving prior notice to you if the request is related to a great scope of Personal data or other simultaneously examined requests.

The Company must provide conditions to you to exercise the rights specified above, with the exceptions of cases provided by law when it is necessary to ensure:

1. state security or defence;
2. public order, the prevention, investigation, detection and prosecution of criminal offence;
3. important economic or financial interests of the state;
4. prevention, investigation, detection of breaches of official or professional ethics;
5. protection of rights and freedoms of the data subject or any other persons.

The Company also ensures all other rights, guarantees and interests of the Data subjects guaranteed by GDPR and other legal acts of the Republic of Lithuania.

13. Use of Cookies

If you access any information or services through the Company's Website, you should be aware that the Company uses cookies which are small text files that are placed on your computer or mobile device when you visit a Company's Website, containing some information connected with your usage of the Website.

For more information on how to control your cookies settings and browser settings or how to delete cookies on your hard drive, please read the Cookies Policy which is available on the Company's Website: www.devere-emoney.com/cookies-policy.

14. Data protection officer

The Company has appointed a data protection officer (hereinafter the Officer). The appointed person may be reached at [email protected].

15. Contacting Us

If you have any questions or concerns about our Policy or data processing or if you would like to make a complaint about a possible breach of privacy laws, please contact us at [email protected].

When a privacy question or access/download request is received we have a dedicated team which triages the contacts and seeks to address the specific concern or query which you are seeking to raise. Where your issue may be more substantive in nature, more information may be sought from you. All such substantive contacts receive a response. If you are unsatisfied with the reply received, you may refer your complaint to the supervisory authority or to the competent court. If you ask us, we will endeavour to provide you with information about relevant complaint avenues which may be applicable to your circumstances.

If you have any questions or concerns about our Policy or data processing or if you would like to make a complaint about a possible breach of privacy laws, please contact us at [email protected].