Privacy Policy

Privacy Policy

  1. Introduction
    In this Privacy Policy, “IUVO”, “we”, “us”or “our” means IUVO Group OŰ and you”, “your” and “user” means visitors to our website and all landing pages connected to it and assignors.
    This Privacy Policy explains and governs:
    how and when we collect your personal data, and what information we collect;
    • how and why we use your personal data; and
    • your rights to control your personal data.
    Please read this Privacy Policy carefully. By accessing and using our website and services, you acknowledge that you have had an appropriate opportunity to read this Privacy Policy, that you understand it and that you agree to be bound by it. If you do not, you will not be able to use the services provided through the website in completeness. If you have any additional questions regarding this Privacy Policy, please contact us at our contact details provided below.
    We may amend this Privacy Policy to comply with applicable laws and regulations or to meet changing business requirements. We invite you to review this page periodically for up-to-date information about our privacy practices and changes to our Privacy Policy.

Group of companies in Management Financial Group, the corporate group of companies and other corporate entities owned and/or controlled by Management Financial Group AD, a company that is incorporated and existing under the laws of the Republic of Bulgaria, with UIC: 203753425. You can find more information about all the companies in the MFG Group here.

 

  1. Who are we?

The IUVO portal is operated by and your personal data is processed by IUVO GROUP OŰ, commercial registry code: 14063375, address of management: Narva mnt 5, Tallinn 10117, Republic of Estonia, telephone: + 372 880 7011, e-mail: [email protected].

  1. Contact us in relation to personal data processing
    In order to exercise your rights as mentioned above, please fill in and send to us this FORMby e-mail to [email protected].
    In case of further questions or complaints concerning our data processing activities, please address them to [email protected]. Alternatively, you can write to us at Narva mnt 5, Tallinn 10117, Republic of Estonia.

 

  1. What is personal data and how, when and what personal information do we collect and process?

 

  • Personal data
    Personal data is any information we have on a user which allows the user to be identified, either directly or indirectly. Under the EU General Data Protection Regulation 2016/679(hereinafter referred to as the GDPR), we have the obligation to inform you about data processing activities which are conducted by us using the personal data we have collected or generated.

Personal data IUVO may process may include following data:

 

  • General personal information: full name (first name, last name); date of birth; personal identification code or another relevant identifier.
  • Identification information, KYC and AML data: identification document (for example national ID card) and information included in such document (document number; date of issue; date of expiry; issuing country; photo); PEP information. We collect information which allows us to identify you to fulfil our regulatory obligations and to provide our services. We may collect information from various reliable and independent sources, whether public or private, to verify the information you have submitted to us (see more below under “Information collected from external third-party sources”). To sign up at our website, we ask for your first name and surname, date of birth, residence and/or location, a copy of your identification document (only if necessary).
  • Contact information: e-mail address; mailing address; phone number. If you use our services and we collect information about communication means to contact the user (phone, e-mail, etc).
  • Account related information: login data; password, preferences (such as language). As we provide our services in various jurisdictions, we might ask for the communication language preferred by you out of the languages we offer for the website or for general communication to provide you a better customer experience.
  • Payment information: payment data related information related to the use of our services. If you buy claims via our portal, we need information about your bank account. All payments to and from your virtual account opened at our web-site portal are possible to be made only to and from the bank account you have provided to us. For further information, please see section “Virtual Account and adding funds” in the user terms.
  • Usage information: information on how our services are used, including feedback provided including technical information collected during use of the services. While you are using our services, you create metadata in connection with your activities on our website. The information that is being collected by the portal consists of log-in data, beginning and end of registration in the portal, etc. What is more, we have information about the agreements you have entered into via the portal. We may also collect information about your computer (including, where available, your IP address, operating system and browser type), your interaction with the marketplace and our website, and email performance data. We use this information for several reasons, including for marketing, for marketplace administration, service improvement and statistics purposes. Our Cookie Policydescribes these processes in more details. When you have agreed to activate and use third-party cookies, you should keep in mind that your data will be processed, transmitted, transferred and stored in accordance with their privacy policy. Based on your explicit consent, your data may be shared in countries without an adequate level of protection. Detailed information about the cookies used is available in the Cookie Policy: https://www.iuvo-group.com/bg/cookie-policy/. You can make an individual choice to use and/or restrict certain cookies from your browser settings.
  • Information from thirdparty sources: We might have personal data collected from various private or public sources solely for fulfilling the legal obligations of the portal operator under the applicable laws (incl. via media and Internet). Most of all, this means collecting information on you so that we would be able to fulfil our anti-money laundering requirements. The sources for such information may vary and cannot be fully determined. This information, which often contains personal data, includes:
    information and reports from credit reference agencies, fraud prevention agencies, insolvency practitioners, debt advisers and tracing agents;
    • commercial databases and marketing databases; and
    • public records and other publicly available information sources.

More detailed overview of what personal data we process is provided in the Section 5 below.

 

 

  • Processing of personal data
    Processing of personal data means any operation which is performed using the personal data, including but not limited to collecting, recording, retention, arrangement, use, amending, delivering, disclosure and deleting of your personal data by the portal operator IUVO. Whether automated or not, all above mentioned activities are deemed as processing of your personal data.
    The controller of the processing of the personal data is the portal operator IUVO Group OÜ. To contact our DPO, please write to the email address [email protected].

 

 

  • The purpose of processing personal data and the legal basis

IUVO processes personal data primarily for the purposes of providing services to our clients, i.e. for performing its contractual obligations to our clients. The legal basis for such personal data processing is article 6(1)(b) of the GDPR – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. We are responsible for assisting the users in concluding the agreements as well as for the maintenance of the claims deriving from the agreements. Some specific requirements from the applicable laws may require us to perform data processing activities from which we may not refrain.

We collect, store and use your personal data:

  • to inform you for developments and changes to our products and services;
  • to develop and improve our services, products and business, including analyzing and improving our credit risk models and our customer service offering;
  • to transfer money;
  • to carry out mandatory or other regulatory checks;
  • to comply with our legal and regulatory obligations;
  • to carry out statistical analysis and market research and testing;
  • to send you news and marketing materials. To enable us to deliver you information about our products and related promotional materials and/or notices, also the products and/or promotional materials and/or notices of the persons belonging to the same group with us or our third-party cooperation partners, we have asked for your prior consent. You may renew your consents any time while using our services. This does not concern notices and materials sent to you as part of our obligations under the User terms in connection with the agreements you have entered into in order to:
  • to open accounts on our web-site and to manage and maintain those accounts;
  • to verify your identity and the other information you have provided to us, including your bank account information;
  • to update your personal data and the records we keep regarding you;
  • for the prevention and detection of fraud or other illegal or criminal activity – Anti-money laundering rules oblige us to hand over specific information to the financial intelligence unit, a special unit of the Estonian Police and Border Guard Board. In some cases, we are not allowed to inform you about such exchange of information;

 

IUVO may process personal data also where it is required to perform a legal obligation applicable to IUVO. For example, in case a court requests personal data from IUVO under an applicable court ruling or court judgement or a law enforcement agency requests personal data under an applicable regulation. Also, if IUVO is obligated to keep personal data, for example, under the Accounting Act, under the Money Laundering and Terrorist Financing Prevention Act or other applicable legal act. In case of such personal data processing, the legal basis is article 6(1)(c) of the GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject.

 

IUVO may process personal data if you have granted a consent for specific data processing purpose. The legal basis for such processing is article 6(1)(a) of the GDPR. For example, when you participate in the Refer-a-friend program as a Referred person in your capacity of a natural person we collect and process your personal data – first name and family name and your e-mail address. The described personal data has been given to us by a Referring person (your friend) with confirmation given to us by him/her that you have given your consent to receive an e-mail from us with an option to confirm your consent and take the next steps to register in the IUVO portal as a claims buyer or to demand from us erasure of your personal data and/or termination of the processing of your personal data. If you don’t confirm your consent and/or you don’t take any steps to register in the IUVO portal as an claims buyer, we will process your personal data (name, family name and email) for 2 months from date the referring person has given the described above personal data to us.

 

In certain cases IUVO may process personal data also if it is necessary for the purposes of the legitimate interests pursued by IUVO, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. In such case, the legal basis for personal data processing is article 6(1)(f) of the GDPR. When the processing of your personal data is based on our legitimate interest, you have at any time the right to object to such processing (see more in Section 6 below).

 

More detailed overview of what personal data for what purposes we process is provided in the Section 5 below.

 

 

          4.4    General principles of processing of personal data and retention periods thereof

IUVO processes user’s personal data lawfully, fairly, and in a transparent manner and to the extent provided for by the applicable legislation.
IUVO and its employees apply all diligence and security measures required by the law when processing user’s personal data to ensure that it is only done for a specified purpose and to protect user’s personal data against inadvertent or unauthorised use, disclosure or destruction.
IUVO enables access to the user’s personal data only to
• its employees with whom a non-disclosure agreement is concluded;
• a third person, who processes the data on behalf of the portal operator, with whom a non-disclosure agreement is concluded (see further Section 4.5 below).
We exclude access of an unauthorised third persons to user’s personal data and from our database containing such data.
Your personal data connected to the agreements concluded by you via our portal will be stored as long as required by applicable laws.  Retention periods applied by IUVO are indicated in the table provided in Section 5 below.
Some personal data may be deleted sooner if deemed unnecessary or if required by the user, unless deleting such data is in conflict with any of our obligations under the applicable laws. If you have questions concerning specific retention periods applicable to data processed about you, you may contact IUVO at any time.

 

            4.5.    Transfer and disclosure of personal data
                       We may transfer your personal data in accordance with the user terms and the applicable law, to:
                      • Persons to whom the portal operator is obliged to transfer user’s personal data based on the law;
                      • Person providing the accounting services to the portal operator, also the persons providing legal assistance in connection with agreements entered into users.

In general, all recipients to whom IUVO transfers your personal data to are located in European Union and European Economic Area. When it is necessary to transfer your personal data to a third country or an international organisation outside the European Economic Area, IUVO will provide appropriate safeguards and transfer the personal data (i) to countries where the European Commission considers the level of data protection to be adequate (see HERE), (ii) under explicit agreement with standard data protection clauses (standard terms approved by the European Commission available HERE and used by IUVO depending on the circumstances of data transfer), or (iii) under other instruments allowed under the applicable law, on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

If the user has separately given such consent to IUVO, IUVO is entitled to transfer user’s personal data (primarily the user’s name and e-mail address) to the persons to who the portal operator has assigned a duty to market and promote portal operator’s products to the user.

When visiting our website, we may carry out transfers of personal data within the European Union and the European Economic Area and/or to a third country or an international organization outside the European Union. In such a case, appropriate safety measures as required under the GDPR are applied.

As IUVO which is part of Management Financial Group Holding, we may need to share it with other companies in the Holding for that purposes. This processing is in accordance with the applicable legislation.

  • IUVO can exchange within the Group of Companies in MFG data collected in the course of customer due diligence carried out for the purpose of fulfilling the legal requirements for the prevention of the   

  use of the financial system for money laundering and terrorist financing, and in particular: clarification of the origin of the funds; disclosure of information on unusual and suspicious transactions and their  

  reporting to a competent public authority; conducting actions to establish potential connectivity and identify third parties acting on behalf or on behalf of the client.

 

  1. Overview of our processing activities

 

If you engage with us in any way, we may collect the following information about you through the methods of contact you choose to use at the point of engagement:

 

 

Personal data

Purpose

Legal basis

Retention period

Full name, PIN, ID card details or details from another official document, nationality, address (current and permanent), occupation, date of birth, e-mail, telephone number.

• Registration as User of the Portal;
• Entering into agreement for provision of services and provision of requested service;
• Fulfilment of obligations under the concluded agreement and services;

Conclusion and/or performance of an agreement (GDPR Art 6(1)(b); after the termination of the agreement our legitimate interest (GDPR Art 6(1)(f)) in conjunction with Section 146 (4) of Estonian Act on the General Part of the Civil Code)

During the term of an agreement and up to 5 years after the termination 

Username, login and password details, IP address

Use of the registered User account

Conclusion and/or performance of an agreement (GDPR Art 6(1)(b); after the termination of the agreement our legitimate interest (GDPR Art 6(1)(f)) in conjunction with Section 146 (4) of Estonian Act on the General Part of the Civil Code)

 

During the term of an agreement and up to 5 years after the termination 

 

Full name, ID card details or details from another official document, nationality, address (current and permanent), occupation, date of birth, e-mail, telephone number, electronic copy of an utility bill

Identification and verification under the Money Laundering and Terrorist Financing Prevention Act (hereinafter referred to as the MLTFPA) and European regulations and any other applicable legislation in this field;

Statutory obligation (GDPR Art 6(1)(c) under the Section 47 of the Money Laundering and Terrorist Financing Prevention Act

For 5 years as of collection of data

Information concerning money transactions, invoices and other accounting related documents

Compliance with accounting related legislation

Statutory obligation (GDPR Art 6(1)(c) under the Section 12 of Accounting Act

At least for 7 years of collection of data

Personal data, collected for the purpose of PEPs /politically exposed person/ screening – public functions, job position, political opinions and membership, personal data about family member of a person performing prominent public functions

Due diligence and risk assessment/ risk appetite under the MLTFPA and European regulations; identification for the purposes of entering into an agreement for provision of services;

Statutory obligation (GDPR Art 6(1)(c) under the Section 47 of the Money Laundering and Terrorist Financing Prevention Act

For 5 years as of collection of data

Field of professional activity, Qualification level, Annual income

Identification under the MLTFPA and European regulations

Statutory obligation (GDPR Art 6(1)(c) under the Section 47 of the Money Laundering and Terrorist Financing Prevention Act

For 5 years as of collection of data

Information relevant to money transactions

• Details about the payment instrument used – IBAN, currency;
• Information about electronic banking and details about performed transactions – amount of transaction, time and place of transaction

Conclusion and/or performance of an agreement (GDPR Art 6(1)(b); after the termination of the agreement our legitimate interest (GDPR Art 6(1)(f)) in conjunction with Section 146 (4) of Estonian Act on the General Part of the Civil Code)

During the term of an agreement and up to 10 years after the termination 

Personal E-mail

• Offering products and services of IUVO;
• Sending advertising messages;

• Participation in marketing campaigns

• Sending daily statements and information on the product used by the customer

Consent (GDPR Art 6(1)(a)

Until you withdraw from your consent

Corporate E-mail

Identification for the purposes of entering into an agreement for provision of services and confirmation of the conditions for participation in program under general terms („Colleagues“)

Conclusion and/or performance of an agreement (GDPR Art 6(1)(b); after the termination of the agreement our legitimate interest (GDPR Art 6(1)(f)) in conjunction with Section 146 (4) of Estonian Act on the General Part of the Civil Code)

During the term of an agreement and up to 5 years after the termination 

Telephone number

Calling and sending short text messages for the purpose of marketing

Consent (GDPR Art 6(1)(a)

 

Until you withdraw from your consent

Corporate telephone number

Calling and sending short text messages for the purpose of marketing

Consent (GDPR Art 6(1)(a)

 

Until you withdraw from your consent

Corporate telephone number

Calling and sending short text messages for the purpose of offering assistance in using the product and confirming fulfillment of the general conditions of programs (“Colleagues”)

Conclusion and/or performance of an agreement (GDPR Art 6(1)(b); after the termination of the agreement our legitimate interest (GDPR Art 6(1)(f)) in conjunction with Section 146 (4) of Estonian Act on the General Part of the Civil Code)

 

During the term of an agreement and up to 5 years after the termination 

Unique identification code in e-Check system

Identification for the purposes of entering into an agreement for provision of services and confirmation of the conditions for participation in program under general terms („Colleagues“)

Conclusion and/or performance of an agreement (GDPR Art 6(1)(b); after the termination of the agreement our legitimate interest (GDPR Art 6(1)(f)) in conjunction with Section 146 (4) of Estonian Act on the General Part of the Civil Code)

During the term of an agreement and up to 5 years after the termination 

Full name, e-mail address

Confirmation of consent as a Referred person

Consent (GDPR Art 6(1)(a)

Until you withdraw from your consent

Voice-recorded over telephone conversation

• Performance of services by IUVO, guaranting consumers’ rights under applicable laws and proof of conversation’s topic;
• Improvement of customer service

IUVO’s legitimate interest to deliver its services on appropriate level (GDPR Art 6(1)(f). Considering that you are notified of the recording and have

other ways to contact us (e.g., e-mail), also that it is also in your interest that services provided to you meet your expectations, we believe

such legitimate interest is not overridden by your other interests or fundamental rights and freedoms.

30 days as of making the recording

Full name, telephone number, e-mail address and other personal data provided by the data subjects in connection with a request, appeal and / or complaint, recommendations, comments, through a chat or at the Company’s email address: [email protected], by telephone or on a hard copy to the address of the Company.

Processing and response to requests for exercise of rights/ of inquiries, complaints 

Depending on the content of the communication:

To process and respond to your request (GDPR Art 6(1)(b); our legitimate interest (GDPR Art 6(1)(f)) in conjunction with Section 146 (1) of Estonian Act on the General Part of the Civil Code) or your consent (GDPR Art 6(1)(a)).

For up to 3 years after final respond to your request or if the legal basis is your consent, until you withdraw from your consent.

Full name, e-mail address

Participation in Refer-a-friend program

Your consent (GDPR Art 6(1)(a)

For 2 months from date the Referring person has given the described above personal data to us, unless you withdraw from the consent earlier

 

 

  1. Rights and obligations of the users and the IUVO portal in connection with processing of the personal data
    • You have the following rights in relation to the processing of your personal data. Note however that not all those rights are absolute and may be restricted on the grounds provided in the GDPR.

Right to information:
You are entitled at any time to demand from us:
• information about whether data relating to you are being processed and the details thereof; and
• copy of your personal data processed by us;
to receive a message in a structured, commonly used and machine-readable format containing your personal data processed by us, as well as any available information about the source of your personal data.
Where the processing of your personal data relies on our legitimate interest, you are entitled to ask us further information about the balancing test carried out by IUVO.
For that, you must submit a relevant application to us via your account, via sending e-mail to e-mail address [email protected] or by filling in this FORM and sending it by e-mail to [email protected] (in this case, the FORM should be signed with electronic signature or signed manually). Note that we will only provide you the information if we have properly identified you. We will provide you the information requested as soon as possible but not later than within a month from receiving the application. Under anti-money laundering regulations, we are entitled and obliged to refrain from transferring to you certain information about the usage of your personal data. To the extent not restricted by law, we will provide you the requested information.

Right of correction:
In case we handle incomplete or erroneous data , you are entitled at any time to obtain from us without undue delay the rectification of inaccurate personal data concerning you.

Right of objection to the processing of your personal data:
You may at any time object to the processing of your personal data if the processing is based on our or a third party’s legitimate interest. In such case, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the data is necessary for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.

Right to restriction of processing:
You may request a restriction of the processing if:
• the accuracy of your personal data is contested by you, for a period enabling us to verify the accuracy of your personal data; or
• the processing of your data is unlawful but instead of deleting it, you want their limited processing; or
• we no longer need these data (for the intended purpose), but you need them for the establishment, exercise or protection of legal claims; or
• You have objected to processing your data pending the verification whether our legitimate grounds override yours as a data subject

Right to withdraw your consent:
Where processing of your personal data is based on your consent, you have the right to withdraw your consent at any time by opting out of IUVO’s services the provision of which relies on your consent (e.g., sending advertising messages) or contacting IUVO at the contact details referred to in this Privacy Policy. The withdrawal of your consent shall not affect the lawfulness of processing based on your consent before its withdrawal.

Right of Data portability:
You have the right to receive your personal data, which you has provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where:
• the processing of that personal data is based on your consent or on a contract; and
• the processing is carried out by automated means

Right to erasure (‘right to be forgotten’)
You are entitled to demand from us erasure of your personal data and/or termination of the processing of your personal data by us where one of the following grounds applies:
• your personal data is no longer needed for the purposes for which it was collected or otherwise processed;
• you have withdrawn your consent on which the processing of the data is based and there is no other legal basis for the processing;
• you believe your personal data has been processed unlawfully.
Keep in mind that there may be other reasons to prevent the immediate erasure of your data, such as statutory storage obligations, pending proceedings, establishment, exercise or defence of legal claims, etc.

  • We trust that the information provided by you is correct, valid and complete. Each user is obliged to inform us immediately about the changes in their personal data and also about incorrectness or invalidity of personal data by providing us the correct and valid personal data to replace the incorrect and/or invalid one.
  1. Complaints
    If you find that the way we have been processing your personal data has violated your rights in any way, you may submit a complaint to the Estonian Data Protection Inspectorateor the supervisory authority of the country of your habitual residence or place of work in the EU.
  2. Amendments
    We monitor our procedures concerning data processing at least once per year. Should we find any information provided in this policy invalid or inaccurate, we will make amendments accordingly.
    Any changes made to this policy will be made available on this webpage and if we have your e-mail address, you will also be informed about any material changes via e-mail.

This Privacy Policy is up to date 12.06.2024 .