As a personal data controller, we are committed to protecting our users' privacy. Keeping the information you share with us secure and ensuring your understanding of how we collect, use and maintain your personal information is important to us at Kredium. Therefore, we treat your personal data in line with the applicable data protection laws and highest international standards of personal data protection. We also continually assess new technology for protecting information and, when appropriate, we upgrade our information security systems accordingly.
“Personal Data” or “Personal Identifiable Information” (PII) means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, access, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Data Subject” means an identified or identifiable natural person to which the Personal Data pertain (Data Subjects)
“Data Controller” means the entity which, alone or jointly with others, determines the purposes of the Processing of Personal Data;
“Data Processor” means the entity which processes Personal Data on behalf of the Data Controller;“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not
“Data Security Measures” means technical and organizational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration, destruction, and all other forms of unlawful data Processing, including measures to ensure the confidentiality of Personal Data;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
II Who we are
We are Kredium, a corporation organized and existing under the laws of the State of Delaware, registered at 3500 S DuPont Hwy, Dover DE, 19901 under the file number 6018194, with its principal office located at 902 Broadway, Floor 6, New York, NY 10010 (“Kredium” or “Company”).
The Company has appointed its Data Protection Officer (DPO) whom you may contact for all the inquiries related to personal data processing, as well as forexercising your privacy rights. You may contact our DPO by one of the following means:
- Sending an e-mail to: firstname.lastname@example.org;
- Sending a letter by post to: 902 Broadway, Floor 6, New York, NY 10010
- Filing a letter directly at the Company’s premises, with the reference “For Data Protection Officer”.
III Types of Data we process
In order to provide our services, we collect and process the following types of data:
a) Directly from clients:
- Personal data (name, last name, email, phone number, year of birth, home address, US residency status),
- Data on the purchased real estate (address, number, city, price, purpose and type of property)
- Data and documents for the purposes of the loan application (gross salary, information about savings or other available finances).
ii. Location DataWe may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our Service, to improve and customize our Service. You can enable or disable location services when you use our Service at any time, through your device settings.
iv. Job application dataWe may process your information like your contact details, your CV and your cover letter ("job application data"). Depending on the personal data you provide to us, the job application data may include your name, address, telephone number, email address, profile pictures, gender, date of birth, relationship status, interests and hobbies, educational details and employment details.
The application data may be processed for the following purposes: to assess your skills, qualifications, and suitability for the role, to communicate with you about the recruitment process, and to keep records related to our hiring processes.
The legal basis for processing Job application data is your consent. We may retain personal data from your CV for as long as it is necessary for our recruitment process but not longer than one year. You may withdraw your consent at any time via email@example.com.
v. Other DataWe may process any of your personal data identified in this Policy where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings, or in an administrative or out-of-court procedure. The legal basis for processing this data is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
We may process any of your personal data identified in this Policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for processing this data is our legitimate interests, namely the proper protection of our business against risks.
In addition to the specific purposes for which we may process your personal data set out in this section, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
Please do not supply any other person's personal data to us, unless we ask you to do so.
IV Legal Basis and Purpose of Data processing
Kredium may process your personal data for one of the following purposes, based on the specific legal basis:
- The legal basis for data processing for the purpose of providing a brokerage service in order to conclude a loan agreement is your consent. Once you have given your consent, you can revoke it at any time, in one of the ways described in Section XII – Data Subjects’ Rights. Explicit consent is required to process specific types of personal information that is necessary to provide certain services or products. Please note that if you revoke your consent for the processing of personal data necessary in order to provide our services, we will not be able to provide you with the desired service;
- The legal basis for processing your personal data is performance of contract concluded between you and us, or for taking action, at your request, before concluding the contract itself. Namely, data processing is necessary for the purposes of providing our Services to you. If you refuse to provide the information required for this purpose, the Company will not be able to enter into a contract with you or provide you with the requested service;
- The Company may process your personal data also when processing is necessary in order to comply with the statutory obligations of the controller (for example: compliance with the statutory obligations of the controller prescribed by the Law on Prevention of Money Laundering and Terrorist Financing, to meet the requirements of competent state authorities, etc.). The processing of data that is necessary for the purpose of complying with the law and fulfilling the prescribed legal obligations does not require the consent of the data subject;
- The Company may process your data when that processing is necessary in order to protect your vital interests or the vital interests of another individual;
- A situation where processing is necessary in order to pursue the legitimate interests of the controller or a third party. Namely, in certain cases, processing is necessary in order to achieve the legitimate interests of the Company or a third party, taking into account that the interests of the Company prevail over the interests or rights and freedoms of the person whose data it processes. The Company bases data processing on legitimate interests, for example, in the following situations: monitoring and maintaining security in the Company's business premises (video surveillance of business premises, visitor records), monitoring and maintaining security of IT systems and the Company's business, initiating and conducting legal proceedings before the state bodies for the purpose of exercising the rights and interests of the Company or other persons, prevention of fraud and other. The processing of data on the basis of a legitimate interest does not require the consent of the data subject, but the data subject has the right to use legal mechanisms at any time to exercise his/her rights in the manner described in the Rights of data subjects section;
- The Company processes personal data only for the purposes for which the data were collected.The purpose for which the Company processes data depends on the type of products and services you contract with us, where all data are processed to fulfill the purpose for which they are collected (to provide you with the most favorable offers and conditions for obtaining a home loan from Lenders).
Subject to the following paragraph, and as already mentioned above, we may use your Personal Data for marketing purposes, in particular to display to you or present you with advertisements and promotional materials, or to provide you information about our new products and other such information which we believe may be of interest to you, based on your use of and your interests in our Services, always provided that such use complies with applicable law.
Depending on the jurisdiction you reside in and in accordance with applicable law in your country, we will ask you to expressly consent to receiving marketing material or product information before we send you any marketing or promotional material.
V Sharing of your personal data with third parties
The Company has the right to disclose personal data and documentation related to a client, as well as data related to concluded Contracts with a client, to third parties, as follows:
- Lenders based on the cooperation agreement entered into between Kredium and Lender;
- Credit bureaus, insurance companies and all other entities who, due to the nature of the work they perform, must have access to such data, in accordance with the relevant regulations;
- Individuals with whom the Company has concluded an Agreement regulating the handling of confidential information;
- Bodies and individuals to whom the Company is obliged by law to submit appropriate data, including persons to whom your data are disclosed for the purpose of executing the contract we have concluded with you;
- Service providers - We may disclose your Personal Data to companies that provide services to us, such as companies that provide cloud computing services. The service providers are required to keep your Personal Data confidential and are not permitted to use your Personal Data for any other purpose than to carry out the services they are performing for us.
- For litigation and security purposes: We may also disclose your personal information if required to do so by law, or in our good faith that such action is reasonably necessary to comply with legal provisions, to comply with a legal requirement, or to protect security, or the rights of the Company, its clients or the public;
- In case of merger or acquisition of all or part of the Company by another company, or in case Kredium sells or otherwise disposes of all or part of the Company's business, the acquirer would have access to information available to the Company, which may include personal data, in accordance with applicable law. Similarly, personal data may be transferred as part of a corporate reorganization, insolvency proceeding or other similar event, if permitted, which will be done in accordance with applicable law;
- Other third parties with your consent - We may also share your Personal Data with other third parties when you consent to such sharing.
The Company will never share your personal information with any third party that intends to use it for direct marketing, unless we have previously notified you and you have given us explicit consent to do so.
VI International data transfers
Your Personal Data will be processed by Kredium that is located in Delaware, United States. In addition, when we share your Personal Data with other entities for purposes of providing you services, (as described in the section above on Sharing of Your Personal Data with Third Parties), such companies may be located outside the United States.
Before transferring your Personal Data outside the United States, we will take steps to ensure that such data will be afforded the same level of protection as under applicable data protection laws in the United States. For data transfers outside of these territories, the Company uses applicable safeguards, including the standard contractual clauses adopted by the European Commission, where appropriate, and will make available a copy to you upon request.
VII Data Retention
Your Personal Data will be retained only for so long as reasonably necessary for the purposes set out above, in accordance with applicable laws, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements. If a deletion of your Personal Data would only be possible with unreasonable efforts, we will anonymise it instead of deletion. We will not collect Personal Data about you that is not necessary for the purposes it is collected for.
VIII Privacy of Children
All processing of personal data presented in this document refers exclusively to persons aged at least 18 years. The use of the system, as well as the results of processing, is prohibited for children under this age without the consent of their parents / guardians. In the event that, despite our reasonable efforts to prevent this, such processing occurs, we will discontinue it after noticing the fact that the users are younger than the stated age.
IX Security of Data
The security of your data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
X Automated decision making and profiling
The personal data referred to herein may be subject to automated decision making, including profiling. Based on the data you provide to Kredium and upon your consent, your profile will be provided to a Lender. The purpose of this type of processing is to provide you with the most suitable loan offer, based on your consent for data processing. In this case, the Data Subject has the right to challenge the decision made in the automated decision-making process, explained in section XII of this Policy.
XI Links To Other Sites
We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.
XII Data Subjects’ Rights
Within the context of processing of your personal data, you have the following rights:
a. The right to access your data
The right of access implies that the Data Subject may obtain from the Company information on whether his or her personal data are being processed and, if so, permission to access his or her personal data and obtain information on the processing. Upon request, the Company will provide a copy of the personal data it processes. For additional requests, the Company may charge a reasonable fee for administrative costs. If the request is submitted electronically and unless otherwise requested, the Company will submit the information in electronic form.
b. The right to request the rectification or erasure of personal data
At the request of the Data Subject, the Company will correct the personal data that are inaccurate or supplement the incomplete data. At the request of the Data Subject, the Company will delete his/her personal data if the conditions prescribed by the Law are met (e.g., if the purpose for which they were collected was met, if the consent for processing was withdrawn and there is no legal basis for processing). The Company may not delete personal data: if the obligation to process them is prescribed by law or the processing is mandatory for reasons of public interest protection (e.g., acting on behalf of a state body) or is necessary to protect the Company's interests such as initiating, filing or defending a legal request (e.g., filing a lawsuit, etc.).
c. The right to request the restriction of processing
At the request of the Data Subject, the Company will restrict the processing of his/her personal data in cases prescribed by law.
d. The right to data portability
At the request of the Data Subject, the Company shall provide personal data in a structured, commonly used, and machine-readable form (e.g., on a computer) and allow it to be transmitted to another controller without interference by the Company if the following conditions are met: (a) processing is based on consent or is necessary for the execution of the contract and (b) processing is performed automatically. This right includes the possibility to require the Company to transfer personal data directly to another controller if technically feasible.
e. The right to withdraw your consent for processing
You have the right to revoke your consent for processing of personal data at any time, however, please note that the revocation of consent does not affect the admissibility of processing on the basis of consent prior to your revocation.
You can revoke your consent by submitting a request to revoke the consent via the Company's email, by sending a letter to the address of the Company's registered office or by submitting the letter directly to the Company's premises with the reference "for Personal Data Protection Officer".
If you revoke your consent for processing of personal data that are necessary for the performance of our services, we will not be able to provide you with the desired service.
f. The right to object to the data processing
At any time, the Data Subject may file an objection to the processing of personal data based on a legitimate interest or which is necessary for the purpose of performing activities in the public interest or exercising the statutory powers of the Company. Upon filing an objection, the Company will suspend further processing of such data, unless there is a legal basis for processing that overrides the interests or freedoms of Data Subjects, or if the processing is performed for the purpose of initiating, filing or defending a legal claim (e.g., filing a lawsuit or counterclaims, etc).
g. The right not to be subject to a decision based solely on automated processing,including profiling
Within the business relationship between the Company and the Data Subject, and in order to exercise the rights and obligations arising from it, the Company may process client’s data in whole or in part in an automated manner, in order to offer and provide services that meet the specific needs of the Data Subject, as well as in order to improve the Company's business relationship with clients.
If he/she considers that his/her rights have been violated by a decision made in an automated decision-making process, the Data Subject has the right to challenge such a decision, express his/her position and request that the decision be reviewed with the participation of an authorized employee of the Company.
h. The right to file a complaint with the Data Protection Authority(the Commissioner for Free Access to Information of Public Importance and Personal Data Protection) and the right to address to the competent courts of law.
The data subject has the right to file a complaint with the competent Data Protection Authority or similar body handling data protection complaints if he/she considers that the processing of his/her personal data is carried out contrary to the provisions of the Law or other applicable regulations. Also, Data Subjects can address the courts in order to exercise their data protection rights.
However, before addressing these institutions, we encourage you to contact us and send a written request, dated and signed in printed format, to the following mailing address: 902 Broadway, Floor 6, New York, NY 10010, or via email to our Data Protection Officer at firstname.lastname@example.org, or by submitting the letter directly at the premises of the Company with the reference "For the Data Protection Officer."
The exercise of these rights is possible at any time.
Likewise, in case you want to withdraw your consent given for direct marketing purposes, you may use the “withdrawal” option offered in every marketing communication.
XIII Obligation to provide data
Providing your personal information allows us to perform the service for which you hired us. However, if you refuse to provide us with any requested information - we will not be able to perform the service for which you hired us, nor will we establish a contractual relationship with you, i.e. we will have to terminate the already established contractual relationship.
XIV Amendments to this Policy
Any questions regarding this document can be addressed to the Company’s Data
Protection Officer, via the following contact information: email@example.com.Updated on 23/12/2021