• ARGENTINA
• BRAZIL
• CANADA (INCLUDING THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA))
• CALIFORNIA, US (INCLUDING THE CONSUMER PRIVACY ACT)
• CHILE
• COLOMBIA
• COTE D’IVOIRE
• EUROPEAN UNION (EU) (INCLUDING THE GENERAL DATA PROTECTION REGULATION (EU GDPR))
• MONTANA, US (INCLUDING THE CONSUMER DATA PROTECTION ACT (MCDPA))
• NIGERIA
• PERÚ
• SOUTH AFRICA
• THE UNITED KINGDOM (UK) (INCLUDING THE GENERAL DATA PROTECTION REGULATION (UK GDPR))
• THE UNITED MÉXICAN STATES (MEXICO)
• THE UNITED STATES OF AMERICA (US) (INCLUDING THE ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA)).
ANY QUESTIONS OR CONCERNS CAN BE ADDRESSED TO US ELECTRONICALLY AT PRIVACY@CONDUIT.FI, OR BY PHYSICALLY WRITING TO US AT 1001 S MAIN STREET, SUITE 4080, KALISPELL, MONTANA 59901, UNITED STATES OF AMERICA.
We appreciate you wanting to interact and/or participate with Conduit Technology, Inc., including our subsidiaries, affiliates, and other business under common control (collectively referred to as "Conduit", “our”, “us”, or "we"). Conduit’s client focus is presently only on businesses (often known as business-to business or “B2B”), which means that we only accept businesses (also commonly known as “legal entities”, “legal persons”, or “moral persons” and which shall, along with natural persons, hereinafter be collectively referred to as a “persons”) as our clients. Although our focus is B2B, we do collect data on natural persons that own, are acting on behalf of, or for, our (actual or potential) clients (hereinafter collectively referred to as “clients”, “you”, or “your”). We take privacy seriously and are committed to protecting personal data and privacy rights. This Policy and Notice describes the data we obtain, collect, how it’s used, and the applicable data rights.
When you visit our websites (e.g., https://conduit.fi, https://conduit.financial), our platform, or use our products or services, you are entrusting us with your personal data and we want you to know we value your privacy. That’s why Conduit, in complying with current personal data privacy, protection, and processing regulations, and in accordance with the provisions of legislation and other provisions that modify, add or complement those regulations, presents the following Policy regarding the personal data provided to Conduit by you (the data owner, hereinafter referred to as “Owner”), including clients, collaborators, partners, suppliers, third-parties, vendors, and any other person from whom Conduit obtains, collects, processes, or treats personal data, whether said treatment is carried out by us or third parties who do so on our behalf.
This Policy aims, among other things, to protect the data rights of persons, along with providing clarity on how to request Conduit to update, rectify, and ⎯ if permissible under the applicable laws, regulations, and rules, which often intertwine with anti-financial crime (“AFC”) guidelines, laws, regulations, and rules (AFC topics include but are not limited to anti-money laundering, countering terrorism financing, financial sanctions, fraud, theft, impersonation, counterfeiting, anti-bribery, and anti-corruption) ⎯ delete the data that we have collected and stored. To be clear, Conduit only collects, stores, and treats personal data when it has been previously authorized to do so by the data’s Owner, and in compliance with our own privacy and confidentiality provisions as set forth herein. This Policy provides general standards used to protect the Owners personal data, the reasons we process and use data (treatment), who is responsible for handling data privacy and protection complaints and claims, and the procedures that must be followed by Owners in order to know, access, update, rectify, and, if permissible delete, the data provided to Conduit.
This Policy applies to all data obtained and/or gathered, regardless of the means, methods, or locations from which such data was obtained and/or gathered (in this Policy these means, methods, and locations include but are not limited to our websites, platform, products, services, onboarding processes, information requests, and data requests, and are collectively referred to as "Places").
If there are any terms in this Policy that you do not agree with, please stop using our Places.
To exercise any rights regarding your personal data, please contact us at privacy@conduit.fi or at the physical address provided herein. You may also contact us and request that your data thus far collected be removed from our systems and we will honor your request up to the limits permitted under the applicable laws, regulations, and rules (hereinafter collectively referred to as “Laws”).
TABLE OF CONTENTS
Address (electronic): Conduit Technology, Inc., at privacy@conduit.fi
Address (physical): Conduit Technology, Inc., 1001 S Main Street, Suite 4080, Kalispell, Montana 59901, United States of America.
Anonymization: use of reasonable technical means available at the time of processing, by which the data loses the possibility of direct or indirect association with a natural person.
Anonymized data: data related to an Owner that cannot be identified, considering the use of reasonable technical means available at the time of processing.
Authorization: prior, express, and informed consent of the Owner to carry out the processing of personal data.
Blocking: temporary suspension of any treatment operation, keeping personal data or the database.
Communication or transmission of data: disclose in any way the personal data to persons other than the Owner, whether determined or indeterminate.
Consent: free, informed, and unequivocal expression by which the Owner accepts the processing of their personal data for specific purpose(s).
Data blocking: the temporary suspension of any stored data processing operation.
Data dissociation procedure: all processing of personal data in such a way that the data obtained cannot be associated with a specific or determinable person.
Data modification: any change in the content of the data stored in records or databases.
Data retention: the amount of time that data is retained within the database; we retain data for ten (10) years after the relationship with the Owner or our client terminates, or pursuant to the applicable data Laws, whichever is longer.
Data sharing: communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal data banks by public bodies and entities in compliance with their legal powers, or between them and private entities, reciprocally, with express authorization, for one or more treatment modalities allowed by these public entities, or between private entities.
Data: facts, statistics, details, and information provided or collected or learned about something or someone for reference or use or storage or analysis.
Database custodian: natural person, within Conduit, who guards the personal databases.
Database: structured set of data, including personal data, established in one or more places, on electronic or physical support.
Elimination: elimination of data or data sets stored in a database, regardless of the procedure used.
Expired data: which has become out of date by provision of the law, due to the fulfillment of the condition or the expiration of the period indicated for its validity or, if there is no express rule, due to the change in the facts or circumstances indicated.
Habeas data: it is the right of the Owner of the personal data to demand from the database custodian access, inclusion, exclusion, correction, addition, updating and rectification of the data, as well as the limitation in its disclosure, publication, or transfer.
Impact report on the protection of personal data: documentation of the database custodian that contains the description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms.
International data transfer: transfer of personal data to a foreign country or international organization of which the country is a member.
Legislation: includes but is not limited to Brazilian Regulation, Law 13,709 in relation to Law 13,853; California Civil Code Section 1798.83, also known as the “Shine The Light” law and the California Consumer Privacy Act of 2018; Canada Personal Information Protection and Electronic Documents Act (PIPEDA); Chilean Regulation Law 19628; Colombian regulation, Law 1581 of 2012, Decree 1074 of 2015, Law 962 2005, and Law 1480 from 2011; European Union (EU) General Data Protection Regulation (EU GDPR); Montana Consumer Data Protection Act (MCDPA); Peruvian Regulation Law 29733 and Law 27444; United Kingdom (UK) General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act of 2018; and the US Electronic Communications Privacy Act (ECPA).
Operator: a person, under public or private law, who processes personal data on behalf of the person responsible for the treatment.
Owner of personal data: natural persons whose data is subject to treatment (Owners). In the context of this Policy, the Owners may be: (i) clients, including all natural persons related or associated or involved with such clients; (ii) third-party vendors, suppliers, and partners; and (iii) all those persons not related to Conduit whose personal data is processed.
Owner: the person who owns the personal data that is subject to treatment.
Person in charge of the treatment: person of a public or private nature that, by itself or in association with others, carries out the processing of personal data on behalf of the database custodian.
Person: a natural person (also known as (aka) a human being) or legal person (aka legal entity such as a corporation, or moral person).
Personal data: any data concerning or linked to specific or determinable natural persons. Personal database: organized set of personal data that are subject to treatment by a person.
Privacy notice: oral or written communication addressed to the Owners of the personal data that are being processed by a company, in which they are informed about the existence of the personal data treatment policies that will be applied to them, the form of access them, and the purposes for which the Owners personal data will be used.
Private data: personal data that, due to its intimate or reserved nature, is relevant for the Owner.
Public data: personal data classified as such according to the Constitution and/or the law, and that has not been classified as private or semi-private personal data.
Research body: body or entity of direct or indirect public administration or non-profit private law legal person, legally constituted under Brazilian law, with headquarters and jurisdiction in the country, which includes in its institutional mission or in its corporate purpose or basic or applied regulatory research of a historical, scientific, technological, or statistical nature (wording given by Law No. 13,853, of 2019).
Responsible for the treatment: person of a public or private nature that by itself or in association with another or others decides on the processing of personal data. In this case, Conduit will be responsible for the treatment.
Semi-private data: personal data known and of interest both for the Owner and for a certain sector of person or for society in general, so it is not of an intimate, reserved, or public nature.
Sensitive data: personal data that affects the privacy of the Owner and whose incorrect use could generate discrimination. Sensitive data includes health data, data on sexual orientation, racial and ethnic origin, political opinions, religious, philosophical, or moral convictions.
Sources accessible to the public: records, or compilations of personal data, public or private, with unrestricted access or reserved for applicants.
Statistical data: the data that, in its origin, or because of its treatment, cannot be associated with an identified or identifiable owner.
Transfer: the transfer of personal data takes place when the database custodian and / or person in charge of the treatment of personal data sends the data or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside the country.
Transmission: processing of personal data that implies communication to a third party, within or outside the territory of the country, when said communication is intended to carry out a treatment by the person in charge on behalf of and on behalf of the database custodian, for fulfill the purposes of the latter.
Treatment: any operation or set of operations on personal data, such as the collection, storage, use, circulation, or deletion.
Ways to collect personal data: Conduit may know, collect, store, manage the data of the Owner of the data in accordance with the data use policy contained herein through the Conduit Places, including but not limited to following means: (i) mobile applications; (ii) websites; (iii) Conduit platform; (iv) Conduit products; (v) Conduit services; (vi) agreement, alliance, contract, or partnership with Conduit; and (vii) Conduit's third party providers, including but not limited to identity verification partners, financial service provider partners, and blockchain industry partners.
As established in legislation, the protection of personal data will be governed by the congruent and comprehensive application of the following principles:
• Principle of legality in the processing of personal data: processing of personal data referred to in legislation is a regulated activity that must be subject to what is established therein and the other provisions that develop it.
• Principle of adequacy: compatibility of the treatment with the purposes informed to the Owner, according to the context of the treatment.
• Principle of necessity: limitation of the treatment to the minimum necessary for the achievement of its purposes, with the scope of the pertinent, proportional, and not excessive data in relation to the purposes of the data processing.
• Principle of prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data.
• Principle of non-discrimination: impossibility of carrying out the treatment for discriminatory illicit or abusive purposes.
• Principle of accountability: demonstration, by the person responsible for the processing, of the adoption of effective measures capable of proving the observance and compliance with the personal data processing and protection regulations, including effectiveness of these measures.
• Principle of purpose: processing of personal data must obey a legitimate purpose in accordance with the applicable Laws, which must be informed to the Owner.
• Principle of freedom: processing of personal data can only be exercised with the prior, express, and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
• Principle of truthfulness or quality: the data subject to treatment must be truthful, complete, exact, updated, verifiable and understandable. Processing of partial, incomplete, fractional, or misleading data is prohibited.
• Principle of transparency: in the processing of personal data, the right of the Owner to obtain from the person responsible for the treatment or the person in charge of the treatment, at any time and without restrictions, information about the existence of data regarding such person must be guaranteed.
• Security principle: the data subject to treatment by the person in charge of the treatment or person in charge of the treatment referred to in applicable Laws, must be managed with the technical, human, and administrative measures that are necessary to provide security to the records avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
• Principle of confidentiality: all persons who intervene in the processing of personal data that are not public in nature are obliged to guarantee the reservation of the data, even after the end of their relationship with any of the tasks that comprise the treatment, being able only carry out supply or communication of personal data when this corresponds to the development of the activities authorized in legislation and in the terms of the same.
• Principle of access and restricted circulation: the treatment is subject to the limits that derive from the nature of the personal data, the provisions of applicable Laws. The treatment, therefore, can only be done by persons authorized by the Owner and/or by persons provided for in the law.
• Principle of proportionality: all processing of personal data must be adequate, relevant, and not excessive for the purpose for which the data was collected.
• Principle of adequate level of protection: for the cross-border flow of personal data, a sufficient level of protection must be guaranteed for the personal data to be processed or, at least, comparable to that provided by the applicable Law or by international standards on the matter.
The personal data we collect depends on the context of your interactions with us and our Places, the choices you make, and the products, services, and features you use.
The personal data we collect may include the following:
By automatically storing the data of the users who access the Conduit Places using cookies. Some of the data that can be stored automatically are the URL, the browser used, and IP address among others. ▪ by email communications
▪ through accessing Conduit’s websites and pages
▪ through access to mobile applications
▪ through access to platform or environments such as the Conduit sandbox
▪ creating username and password to access Conduit Places
▪ through telephone calls regardless of medium (apps, wired, wireless, etc.)
▪ through events held by Conduit or events attended by Conduit
▪ through the referral, transfer, or transmission by strategic allies or partners
▪ through agreements, applications, contracts, forms, or requests for information ▪ through service offers
▪ through the cooperation contract
▪ through service provision contracts
▪ through service portfolios
▪ through interfacing, regardless of the medium (apps, in person, telephone, video conference, etc.).
a. DATA YOU DISCLOSE AND/OR PROVIDE AND/OR AUTHORIZE US TO COLLECT
In sum: As noted above, Conduit only accepts legal persons as our clients, however, during the course of performing due diligence on our clients we collect data about certain natural persons affiliated or associated with our clients due to their professional or business capacity, when you visit our Places, that you provide to us, or when you communicate with us regardless of the medium used.
All personal data provided must be true, accurate, and complete. You must promptly notify us of any changes to keep such personal data accurate. The personal data we collect can include the following: