Last Updated: February 7, 2023
- Who are we?
UAB Nuvei (Lithuania) (“Nuvei”, “Company”, “we” or “us”) respects the privacy of the users of our payment processing platform (the “Platform”), banking services, as well as users of our websites available at: accounts.nuvei.com, and is committed to protect the Personal Data that users share with us in connection with the use of our Platform, banking services and/or Site (collectively – the “Service”).
If you register or use our Services in the US, the controller of your Personal Data (or its equivalent, as defined under applicable data protection laws) will be SimplexCC (US), Inc. If you register or use our Services elsewhere, the controllers of your Personal Data will be UAB Nuvei and your Personal Data would not be shared with the US entity – SimplexCC (US). SimplexCC Ltd. and UAB Nuvei, while processing your Personal Data, as a rule, act as a joint controllers, or sometimes the above entities have controller-processor relationship. SimplexCC (US) shares data of US citizens with SimplexCC Ltd. and UAB Nuvei only in controller-processor relationship (SimplexCC (US) acts as the controller, whereas SimplexCC Ltd. and UAB Nuvei – as the processors). Moreover, UAB Nuvei is a subsidiary of Nuvei group (Canada).
The Platform, Site and Social Accounts may contain links to external websites, such as our partner websites, websites promoting our Service, etc. When you follow links to any of these websites, please note that these sites and the services accessed through them have their own separate privacy policies and that we assume no responsibility or liability for these policies or for the collection of Personal Data on these sites. Before submitting Personal Data to there or using related services, it is important to review their privacy policies.
- From whom do we collect Personal Data?
- Site Visitors: Individuals who visit our Site and who may volunteer certain contact data (such as their email address) to receive communications from the Company or otherwise pre-register to receive our Service. For clarity, Site does not include any sites owned or operated by our Customers.
- Users: Individuals whose information we process to:
- Provide the Service to our Customers pursuant to our agreements with them; or
- Provide the Service directly to our Users via an e-money account or service account; this includes Users registering on behalf of an organization; or
- Fulfill regulatory objectives, prevent illegal activities and to comply with applicable laws.
- Customers: Those who register on their own or on behalf of an entity or organization to use the Company’s Service, including merchants and operators of the Exchanges. For the avoidance of doubt, Customers do not include Users.
- Other persons, including the ones who subscribe to direct marketing materials, apply to various job positions offered by us, acts as a representative of our partners, etc.
- How do we use your Personal Data and what principles do we keep?
We collect and process only such Personal Data as it is necessary to achieve the Personal Data processing purposes we have specified. When processing your Personal Data:
- We comply with the requirements of current and applicable legislation, including the GDPR;
- We process your Personal Data in a lawful, fair, and transparent manner;
- We collect your Personal Data for specified, clearly defined and legitimate purposes and do not process them in a way incompatible with those purposes, except to the extent permitted by law;
- We take all reasonable steps to ensure that Personal Data being inaccurate or incomplete, in accordance with the purposes for which they are processed, would be rectified, supplemented, suspended, or destroyed without delay;
- We hold Personal Data in such a form that your identity can be established for no longer than is necessary for the purposes for which the Personal Data are processed;
- We ensure that your Personal Data is processed securely, that we ensure technical and organizational security measures, as well as that we provide access to Personal Data only to those of our employees who need such access due to their work functions.
- How Do We Collect Personal Data?
We use the following methods of collection:
- Through your use of the Service and/or the transactions carried out in connection with the Service. In other words, when you are using the Service, including when you browse the Exchange(s), we collect and record the information relating to such usage, either independently or through the help of third-party services as detailed below.
- From our business partners – the Exchanges, our turnkey partners, cryptocurrency wallets and brokers. For example, when you return to the Exchange, such Exchange may provide us with your contact information (such as name, address, and date of birth), as well as usage information regarding your previous visits to its website(s) (for example, the User’s balance, previous logins, and previous transactions).
- Through publicly available sources. For example, we collect certain information about you through your publicly available SN Account(s) information, publicly available credit card blacklists and official limited bank account lists, and other online public information.
- From third-party services. For example, we may collect some data when we use third-party services to provide our Service and prevent fraud.
- Information which you provide us. For example, we collect Personal Data required to use the Service that you provide to us by completing the registration form, the onboarding process (if you register as the Customer) and/or contacting us directly.
- When your Personal Data, with your consent, is provided to us by other persons, including companies using our Services. For example, when such companies indicate your contacts, refer to you as an authorized person, etc.
The person providing Personal Data to us is responsible for the correctness, completeness, and relevance of such Personal Data, as well as for the consent of the person whose data is provided to submit his/her Personal Data to us. We may ask you to confirm that the person has the right to provide us with Personal Data (for example, by filling in service order or registration forms). If necessary (e. g. a person inquires us about receiving his/her Personal Data), we will indicate the provider of such Personal Data.
- What Personal Data are we processing?
We process your Personal Data for the following purposes and under the following conditions:
|Purpose of the processing of Personal Data||Personal data being processed||Personal Data processing period||Legal basis for the processing of Personal Data|
|Registration, use of account, user identification, provision of Service (individuals)||Name, surname, username, e-mail, password, phone number, , personal identity code, date of birth, country of birth, address, address for correspondence, nationality, citizenship, gender, passport/ID card copy and its details (e. g. type, number, issuance place and date, expiry date, MRZ code, signature), selfies, IP address, device geographical location, KYC questionnaire, details of user’s bank accounts and payments, Service and account usage history, monetary operations, information on sources of income, tax data, Wallet ID, information about the Services ordered and used and changes therein, data on PEP’s, other information required by law.||Personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania up to 8 (eight) years as of the transaction/termination of the Company’s relationship with the user. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority. –||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR) Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR) Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
|Registration, use of account, user identification, provision of Service (corporate)||Name, former name (if changed), trading name or doing business as, name and surname of representative of the customer (if any), names and surnames of all directors of the customer, including board members, supervisory council, names and surnames of ultimate beneficial owners of the customer (if any), names and surnames of persons with access right to the customer’s account at the Company, titles of general and limited partners (in case of partnerships), names, surnames, titles of main partners, citizenship, date of birth, declaration on connection with politically exposed persons of all above mentioned persons, gender of all natural persons, business registration address, business operational address, registration number, incorporation date, extract of registration and its date of issue, company’s status, proof of address for each UBO and customer’s representative (who acts under PoA), ID/Passport of UBO and representative persons and authorized persons to account, records of remote identification and verification of legal entity’s representative, records of remote identification and verification of legal entity’s persons who have access to its account, power of attorney (if applicable), representatives personal code (if applicable); e-mail; phone number and residence address. Information obtained via KYC questionnaire: number of employees, main business activities, business activities countries, authorized capital, last year turnover, planned turnover for next year, purpose of intended business relationship, source of incoming funds, anticipated monthly turnover, anticipated monthly count of transactions, any other document/ information on ad hoc basis.||Personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania up to 8 (eight) years as of the transaction/termination of the Company’s relationship with the user. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority.||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR) Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR) Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
|Other payments activity, Buy/Sell Crypto||Payments in fiat information: amounts and currency, external IBANs, purpose of transactions. Payments in crypto information: amounts and currency, wallet address. name and Surname; Selfies, ID or passport, billing address, phone number, email address, IP address, device geographical location, credit/debit cards info: first 6 and last 4 digits, BIN country, BIN bank.||From 3 to 8 years from the date of execution of the payment transaction.||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Legitimate interests of the data controller or a third party (risk assessment) (Article 6(1)(f) GDPR).|
|Branded Cards||First 4 and last 4 card digits, phone number for One Time Password, name and surname, payment history: amounts, currencies, fees, merchant name and address, linked internal account number.||8 years as of the transaction/termination of the Company’s relationship with the customer.||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR).|
|Chargeback||Name and surname, POID document, billing address, email, phone number, account number, IP address, device geographical location, wallet address, payment amount and currency, Zendesk tickets, device ID, chargeback request and other related information and proof.||The entire period of the dispute/claim and 5 years after the end of the out-of-court dispute /claim.||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR).|
|Execution of financial operations, accounting, debt management.||Name, surname, e-mail, phone number, position, place of work, address, relationship with the represented legal entity, account number, credit institution, payment information, debt information, data transferred by the company collecting the contributions and confirmations of payments.||According to the regulatory legal acts, as well as in accordance with the Index of General Document Storage Periods Approved by order No. V-100 of the Chief Archivist of the Republic of Lithuania of 9 March 2011. When the data does not fall within the above-mentioned storage area – the period of validity of the contract/cooperation between the parties and 10 years after the end of the contract/relationship (last contact).||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR) Data processing is necessary for to fulfil a legal obligation imposed on the data controller (Article 6(1)(c) GDPR) Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
|Evaluation and selection of candidates for the offered job.||Name, surname, e-mail, phone number, address, education and activity data, content of the CV, other information required for the selection/evaluation of the candidate or provided by the candidate.||The selection period and 3 months after the selection if the candidate’s consent to the retention of data after the selection has been obtained. When data are received not for a specific selection, they shall be stored for 3 months after the date of their receipt.||Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR) Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
|Sending news, conducting surveys, direct marketing, advertising.||Name, e-mail address, phone number, the data requested in the survey announcement/ questionnaire.||Data is processed for 1 year from the receipt of consent, unless you revoke your consent earlier.||Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR).|
|Settlement of disputes and claims.||Name, surname, workplace address, workplace position, contact with the represented legal entity, phone number, e-mail, the content of the claim or other similar document, information/documents related to the dispute/claim.||The entire period of the dispute/claim and 5 years after the end of the out-of-court dispute /claim resolution and 10 years after the end of judicial proceedings.||Data processing is necessary for to fulfil a legal obligation imposed on the data controller (Article 6(1)(c) GDPR) Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
In Social Accounts we can share information about ourselves, our content, events, news, surveys, as well as information about the employees we are looking for. Social accounts users are also subject to the privacy policies of the social networks owners. When you contact us on Social Accounts, depending on the privacy settings you choose, we may see certain user account information such as profile first name, surname, image, sex, e-mail address, location, etc. (the list is not exhaustive). If a user posts information by communicating with us on our Social Accounts (e. g. posts a comment in the comments section of our Social Account or posts a message on our Social Account profile), depending on the privacy settings chosen, the posted information may be made public (for example, visible on our Social Account to other users).
- Do we share your Personal Data?
Our business partners, suppliers, sub-contractors, or agents who perform services for it, or consultants such as auditors, lawyers, tax advisors, analytics and search engine providers that assist us in the improvement and optimization of the Platform, etc., as well as the Personal Data Processors we use, such as ancillary service providers, IT companies, advertising and marketing companies, accounting companies, etc. We require data processors to store, process and treat Personal Data as responsibly as we do and only in accordance with our instructions. We have such partners and data processors:
Marketing, Advertising Partners – TrustPilot (Denmark);
Payment partners – PAYBIS (UK), PAYBIS US (ZEROHASH), ELASTUM (LT, EE), H FINANCE (LT) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area)
Accounting, financial services – Hashavim, PWC Israel, Billbeez, Altshuler Shaham Benefits, Howden, Priority, Jonathan Lubik consultants \ Econpartners, IBI trustee, Financial immunities, Michpal, Made Finance, Liram, OvdimNet Ayalon, Kna’an, Hi Bob (USA), RMR Consultants, Sima Kedem Ltd, Yoram Zilberman insurance agency, Baker Tilly Baltics (LT), UAB Scandinavian Accounting and Consulting (LT), SIA Ernst & Young Baltic (LV), MK TAX, Cogency Global, Mazars (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area);
IT solutions, IT security maintenance and technical services – 7CI (Israel), Ingenie (UK) Kyte Consultants Ltd (Malta) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area).
Cloud and hosting providers – Amazon Web Services, Inc. (USA) Google, Inc. (USA) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area).
To publish your content to Social Accounts, we provide data to these social media platform operators:
LinkedIn Ireland Unlimited Company (Ireland), LinkedIn Corporation (Ireland), Facebook Ireland Ltd. (Ireland), Facebook, Inc. (USA), YouTube, Inc. (USA), Twitter, Inc. (USA), Twitter International Company (Ireland), A Medium Corporation (USA) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area).
State or local government institutions and authorities, law enforcement and pre-trial investigation institutions, courts and other dispute resolution institutions, other persons performing functions assigned by law, in accordance with the procedure provided for by legislation of the Republic of Lithuania. We provide these entities with mandatory information required by law or specified by the entities themselves.
We normally process Personal Data within the EEA, but in some cases your Personal Data may be transferred outside the EEA. The Company will always take steps to ensure any transfer of such information to entities based outside the EEA is carefully managed to protect your rights and interests by implementing Appropriate safeguards to protect Personal Data.
Your Personal Data will only be transferred outside the EEA under the following conditions:
- Data are transferred only to our reliable partners who ensure the provision of our services to you;
- EU Standard Contractual Clauses Approved by the European Commission, which ensure the security of transfers of your Personal Data, have been signed with such partners;
- The Commission of the European Union has decided on the eligibility of the country in which our partner is established, i.e., an adequate level of security is ensured;
- You have given your consent to the transfer of your Personal Data outside the EEA; or
- A special permit of the State Data Protection Inspectorate of the Republic of Lithuania was obtained to carry out such transfer.
To use the Service, you must be over the age of eighteen (18). Company does not knowingly process Personal Data from children under the age of eighteen (18) and does not wish to do so. We reserve the right to request proof of age at any stage so that we can verify that minors under the age of eighteen (18) are not using the Service. If it comes to our knowledge that a person under the age of eighteen (18) is using the Service, we will prohibit and block such User from accessing the Service and will take appropriate measures to prevent that User from making use of our Service.
- Tracking technologies
When you access or use the Service, Site or Platform, we may use (and authorize third parties to use) industry-wide technologies such as cookies or similar technologies, including web beacons, pixel tags, scripts, tags and other technologies that store certain information on your computer (“Local Storage”) and which will allow us to enable automatic activation of certain features, and make your Service experience much more convenient and effortless (collectively “Tracking Technologies”). These Tracking Technologies allow us and third parties to automatically collect information about you (such as your IP address, device unique identifiers and your online behavior), to enhance your navigation on our Site, improve our Site’s performance and customize your experience on our Site, as well as for advertising and fraud prevention purposes. We also use this information to collect statistics about the usage of our Site, perform analytics, deliver content which is tailored to your interests.
With your consent (only), we may use your Personal Data for direct marketing purposes to provide you with newsletters, offers and information about our Service, as well as to inquire about the quality of our performance.
The above content can be sent by e-mail, messages to the phone number specified by you, as well as messages in your account in the Platform or Site. Your contacts may be transferred to our partners who provide us with news sending or quality assessment services.
After sending such content, we can collect information about the people who received it, for example, which message people opened, what links they clicked on, etc. Such information is collected to offer you relevant and more tailored news and content.
Even if you have given your consent to the processing of Personal Data for direct marketing purposes, you can easily withdraw this consent for all or part of the Personal Data processing activities at any time. To do this, you can:
- notify us of your withdrawal in the manner specified in the provided message (e. g. by clicking on the “unsubscribe” link in the newsletter, etc.); or
If you withdraw your consent, we will try to stop sending such content to you immediately.
Withdrawal of consent does not automatically oblige us to destroy your Personal Data or provide you with information about the Personal Data processed by us, therefore, for these actions you should submit a separate request.
- Your rights
As a data subject, you have the following rights regarding your Personal Data:
- To know (to be informed) about the processing of your Personal Data (right to know);
- To access your Personal Data and the way they are processed (right of access);
- To request the correction or, depending on the purposes of the processing of Personal Data, supplementation of incomplete Personal Data (right to rectification);
- To request the erasure of your Personal Data or the suspension of your Personal Data processing activities (excluding storage) (right to erase and right to “be forgotten”);
- To request us to restrict the processing of Personal Data for one of the legitimate reasons (right to restrict);
- The right to transfer data (right to transfer). This right may be exercised only if there are grounds for its exercise and appropriate technical measures to ensure that the transfer of the requested Personal Data does not pose a risk of security breach to the data of other Data Subjects;
- The right to object the processing of your Personal Data when we process Personal Data based on a legitimate interest of the Company or a third party, including profiling. If you object, we will only be able to further process your Personal Data for compelling legitimate reasons that take precedence over your interests, rights, and freedoms, or to make, enforce or defend legal claims;
- Revoke your consent to the processing of your Personal Data when this data is processed or intended to be processed for direct marketing purposes, including profiling as far as such direct marketing is concerned (based on the Personal Data you provide, profiling may be carried out for direct marketing purposes to offer you individually tailored solutions and proposals. You can revoke your consent to the processing of Personal Data by automated processing, including profiling, or object to it at any time).
We may refuse to exercise your rights listed above, except for refusal to process your Personal Data for direct marketing purposes, competitions or in other cases when Personal Data is processed with your consent, when your request is allowed to us not to comply with the provision of the GDPR, or when, in cases provided for by law, it is necessary to ensure the prevention, investigation and detection of crimes, violations of official or professional ethics, as well as the protection of the rights and freedoms of the Data Subject, us and other persons, or when the Company has a legitimate interest.
You can exercise part of your rights as a Data Subject by changing the user account settings in the Platform or Site and the information contained therein. You may submit any request or instruction related to the processing of Personal Data to us in writing via Company’s internal system for handling Data Subject’s request. Please go to the UAB Nuvei Privacy Center and choose Data subject’s request options here: accounts.nuvei.com/privacy-policy.
When submitting such a request, we may ask you to fill in the necessary forms, as well as provide an identification document or other information that will help us to verify your identity, to better understand the content of your request. You may also send Data Subject’s request together with authorized personal document (ID or passport) copy to our office – Lvivo g. 37, Vilnius, LT-09306, Lithuania, however, we encourage you to submit you requests via our internal system since that channel is dedicated specifically to handle Data Subject’s requests.
Upon receipt of your request or instruction regarding the processing of Personal Data, no later than within 1 month from the date of the request, we will provide a response and perform the actions specified in the request or inform you why we refuse to perform them. If necessary, the specified period may be extended by a further 2 months, considering the complexity and number of requests. In such a case, within 1 month from the date of receipt of the request, we will inform you of such extension.
If Personal Data is deleted upon your request, we will only store copies of information that are necessary to protect our legitimate interests and those of others, to comply with the obligations of law, to resolve disputes, to recognize interference or to comply with any agreements you have entered with us. Please note that these rights are not absolute, and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations (such as AML/CTF regulations).
- How do we secure your Personal Data?
We take great care in implementing and maintaining the security of the Service and safeguarding any Personal Data we process. Personal Data, trusted to us, is hosted on Amazon Web Services and Google Cloud Services, which provides advanced security features. Company employs industry standard procedures and policies to ensure the safety of the Personal Data processed and to prevent unauthorized use of any such information. In addition, to safeguard the privacy expectation of the data subjects, Nuvei is Payment Card Industry Data Security Standards (“PCI DSS”) certified. Please note that while we take reasonable measures to safeguard your Personal Data, we cannot fully guarantee its absolute security.
- Our contacts:
UAB Nuvei Privacy center, Data subject requests, choose option OTHER
Or simply contact our Data Protection Officer: email@example.com
We will try to reply within a reasonable timeframe. Please feel free to reach out to us at any time. If you are unsatisfied with our response or decision, you can reach out to the applicable data protection authority:
The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija in Lithuanian, website available at https://vdai.lrv.lt/).