POLICY ON PRIVACY & PROCESSING OF PERSONAL DATA AND NOTICE
THIS POLICY IS IMPORTANT. PLEASE READ IT COMPLETELY AND THOUGHTFULLY. IT SHOULD ASSIST YOUR DECISIONS ON SHARING DATA WITH US. THIS POLICY ON PRIVACY & PROCESSING OF PERSONAL DATA (“Privacy Policy” or “Policy”) AND NOTICE THEREOF (Notice) IS PROVIDED IN COMPLIANCE WITH APPLICABLE LEGISLATION, INCLUDING BUT NOT LIMITED TO THE DATA PROTECTION LAWS, REGULATIONS, AND GUIDELINES IN ⎯
• ARGENTINA
• BRAZIL
• CANADA (INCLUDING THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA))
• CALIFORNIA, US (INCLUDING THE CONSUMER PRIVACY ACT)
• CHILE
• COLOMBIA
• COTE D’IVOIRE
• EUROPEAN UNION (EU) (INCLUDING THE GENERAL DATA PROTECTION REGULATION (EU GDPR))
• MONTANA, US (INCLUDING THE CONSUMER DATA PROTECTION ACT (MCDPA))
• NIGERIA
• PERÚ
• SOUTH AFRICA
• THE UNITED KINGDOM (UK) (INCLUDING THE GENERAL DATA PROTECTION REGULATION (UK GDPR))
• THE UNITED MÉXICAN STATES (MEXICO)
• THE UNITED STATES OF AMERICA (US) (INCLUDING THE ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA)).
ANY QUESTIONS OR CONCERNS CAN BE ADDRESSED TO US ELECTRONICALLY AT PRIVACY@CONDUIT.FI, OR BY PHYSICALLY WRITING TO US AT 1001 S MAIN STREET, SUITE 4080, KALISPELL, MONTANA 59901, UNITED STATES OF AMERICA.
We appreciate you wanting to interact and/or participate with Conduit Technology, Inc., including our subsidiaries, affiliates, and other business under common control (collectively referred to as "Conduit", “our”, “us”, or "we"). Conduit’s client focus is presently only on businesses (often known as business-to business or “B2B”), which means that we only accept businesses (also commonly known as “legal entities”, “legal persons”, or “moral persons” and which shall, along with natural persons, hereinafter be collectively referred to as a “persons”) as our clients. Although our focus is B2B, we do collect data on natural persons that own, are acting on behalf of, or for, our (actual or potential) clients (hereinafter collectively referred to as “clients”, “you”, or “your”). We take privacy seriously and are committed to protecting personal data and privacy rights. This Policy and Notice describes the data we obtain, collect, how it’s used, and the applicable data rights.
When you visit our websites (e.g., https://conduit.fi, https://conduit.financial), our platform, or use our products or services, you are entrusting us with your personal data and we want you to know we value your privacy. That’s why Conduit, in complying with current personal data privacy, protection, and processing regulations, and in accordance with the provisions of legislation and other provisions that modify, add or complement those regulations, presents the following Policy regarding the personal data provided to Conduit by you (the data owner, hereinafter referred to as “Owner”), including clients, collaborators, partners, suppliers, third-parties, vendors, and any other person from whom Conduit obtains, collects, processes, or treats personal data, whether said treatment is carried out by us or third parties who do so on our behalf.
This Policy aims, among other things, to protect the data rights of persons, along with providing clarity on how to request Conduit to update, rectify, and ⎯ if permissible under the applicable laws, regulations, and rules, which often intertwine with anti-financial crime (“AFC”) guidelines, laws, regulations, and rules (AFC topics include but are not limited to anti-money laundering, countering terrorism financing, financial sanctions, fraud, theft, impersonation, counterfeiting, anti-bribery, and anti-corruption) ⎯ delete the data that we have collected and stored. To be clear, Conduit only collects, stores, and treats personal data when it has been previously authorized to do so by the data’s Owner, and in compliance with our own privacy and confidentiality provisions as set forth herein. This Policy provides general standards used to protect the Owners personal data, the reasons we process and use data (treatment), who is responsible for handling data privacy and protection complaints and claims, and the procedures that must be followed by Owners in order to know, access, update, rectify, and, if permissible delete, the data provided to Conduit.
This Policy applies to all data obtained and/or gathered, regardless of the means, methods, or locations from which such data was obtained and/or gathered (in this Policy these means, methods, and locations include but are not limited to our websites, platform, products, services, onboarding processes, information requests, and data requests, and are collectively referred to as "Places").
If there are any terms in this Policy that you do not agree with, please stop using our Places.
To exercise any rights regarding your personal data, please contact us at privacy@conduit.fi or at the physical address provided herein. You may also contact us and request that your data thus far collected be removed from our systems and we will honor your request up to the limits permitted under the applicable laws, regulations, and rules (hereinafter collectively referred to as “Laws”).
TABLE OF CONTENTS
- DEFINITIONS
- PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA OF DATA PROTECTION 3. HOW WE COLLECT THE DATA
- WHAT DATA DO WE COLLECT?
- HOW DO WE USE YOUR DATA?
- WILL YOUR DATA BE SHARED WITH ANYONE?
- WITH WHOM WILL YOUR DATA BE SHARED?
- DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
- HOW WE HANDLE YOUR THIRD-PARTY ACCOUNT LOGINS?
- HOW LONG AND WHERE DO WE KEEP YOUR DATA?
- HOW DO WE KEEP YOUR DATA SAFE?
- DO WE COLLECT DATA FROM MINORS?
- WHAT ARE YOUR DATA PRIVACY & PROTECTION RIGHTS?
- DO ARGENTINIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO BRAZILIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO CALIFORNIA RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO CANADIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO CHILEAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO COLOMBIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO COTE D’IVOIRE RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO EU AND UK RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO MEXICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO MONTANA RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO NIGERIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO PERUVIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO SOUTH AFRICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
- DO WE UPDATE THIS POLICY?
- HOW TO CONTACT US ABOUT THIS POLICY?
- DO WE TREAT SENSITIVE PERSONAL DATA?
- HOW WE TREAT THE PERSONAL DATA OF OUR EMPLOYEES
1. DEFINITIONS
Address (electronic): Conduit Technology, Inc., at privacy@conduit.fi
Address (physical): Conduit Technology, Inc., 1001 S Main Street, Suite 4080, Kalispell, Montana 59901, United States of America.
Anonymization: use of reasonable technical means available at the time of processing, by which the data loses the possibility of direct or indirect association with a natural person.
Anonymized data: data related to an Owner that cannot be identified, considering the use of reasonable technical means available at the time of processing.
Authorization: prior, express, and informed consent of the Owner to carry out the processing of personal data.
Blocking: temporary suspension of any treatment operation, keeping personal data or the database.
Communication or transmission of data: disclose in any way the personal data to persons other than the Owner, whether determined or indeterminate.
Consent: free, informed, and unequivocal expression by which the Owner accepts the processing of their personal data for specific purpose(s).
Data blocking: the temporary suspension of any stored data processing operation.
Data dissociation procedure: all processing of personal data in such a way that the data obtained cannot be associated with a specific or determinable person.
Data modification: any change in the content of the data stored in records or databases.
Data retention: the amount of time that data is retained within the database; we retain data for ten (10) years after the relationship with the Owner or our client terminates, or pursuant to the applicable data Laws, whichever is longer.
Data sharing: communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal data banks by public bodies and entities in compliance with their legal powers, or between them and private entities, reciprocally, with express authorization, for one or more treatment modalities allowed by these public entities, or between private entities.
Data: facts, statistics, details, and information provided or collected or learned about something or someone for reference or use or storage or analysis.
Database custodian: natural person, within Conduit, who guards the personal databases.
Database: structured set of data, including personal data, established in one or more places, on electronic or physical support.
Elimination: elimination of data or data sets stored in a database, regardless of the procedure used.
Expired data: which has become out of date by provision of the law, due to the fulfillment of the condition or the expiration of the period indicated for its validity or, if there is no express rule, due to the change in the facts or circumstances indicated.
Habeas data: it is the right of the Owner of the personal data to demand from the database custodian access, inclusion, exclusion, correction, addition, updating and rectification of the data, as well as the limitation in its disclosure, publication, or transfer.
Impact report on the protection of personal data: documentation of the database custodian that contains the description of the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms.
International data transfer: transfer of personal data to a foreign country or international organization of which the country is a member.
Legislation: includes but is not limited to Brazilian Regulation, Law 13,709 in relation to Law 13,853; California Civil Code Section 1798.83, also known as the “Shine The Light” law and the California Consumer Privacy Act of 2018; Canada Personal Information Protection and Electronic Documents Act (PIPEDA); Chilean Regulation Law 19628; Colombian regulation, Law 1581 of 2012, Decree 1074 of 2015, Law 962 2005, and Law 1480 from 2011; European Union (EU) General Data Protection Regulation (EU GDPR); Montana Consumer Data Protection Act (MCDPA); Peruvian Regulation Law 29733 and Law 27444; United Kingdom (UK) General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act of 2018; and the US Electronic Communications Privacy Act (ECPA).
Operator: a person, under public or private law, who processes personal data on behalf of the person responsible for the treatment.
Owner of personal data: natural persons whose data is subject to treatment (Owners). In the context of this Policy, the Owners may be: (i) clients, including all natural persons related or associated or involved with such clients; (ii) third-party vendors, suppliers, and partners; and (iii) all those persons not related to Conduit whose personal data is processed.
Owner: the person who owns the personal data that is subject to treatment.
Person in charge of the treatment: person of a public or private nature that, by itself or in association with others, carries out the processing of personal data on behalf of the database custodian.
Person: a natural person (also known as (aka) a human being) or legal person (aka legal entity such as a corporation, or moral person).
Personal data: any data concerning or linked to specific or determinable natural persons. Personal database: organized set of personal data that are subject to treatment by a person.
Privacy notice: oral or written communication addressed to the Owners of the personal data that are being processed by a company, in which they are informed about the existence of the personal data treatment policies that will be applied to them, the form of access them, and the purposes for which the Owners personal data will be used.
Private data: personal data that, due to its intimate or reserved nature, is relevant for the Owner.
Public data: personal data classified as such according to the Constitution and/or the law, and that has not been classified as private or semi-private personal data.
Research body: body or entity of direct or indirect public administration or non-profit private law legal person, legally constituted under Brazilian law, with headquarters and jurisdiction in the country, which includes in its institutional mission or in its corporate purpose or basic or applied regulatory research of a historical, scientific, technological, or statistical nature (wording given by Law No. 13,853, of 2019).
Responsible for the treatment: person of a public or private nature that by itself or in association with another or others decides on the processing of personal data. In this case, Conduit will be responsible for the treatment.
Semi-private data: personal data known and of interest both for the Owner and for a certain sector of person or for society in general, so it is not of an intimate, reserved, or public nature.
Sensitive data: personal data that affects the privacy of the Owner and whose incorrect use could generate discrimination. Sensitive data includes health data, data on sexual orientation, racial and ethnic origin, political opinions, religious, philosophical, or moral convictions.
Sources accessible to the public: records, or compilations of personal data, public or private, with unrestricted access or reserved for applicants.
Statistical data: the data that, in its origin, or because of its treatment, cannot be associated with an identified or identifiable owner.
Transfer: the transfer of personal data takes place when the database custodian and / or person in charge of the treatment of personal data sends the data or personal data to a recipient, who in turn is responsible for the treatment and is inside or outside the country.
Transmission: processing of personal data that implies communication to a third party, within or outside the territory of the country, when said communication is intended to carry out a treatment by the person in charge on behalf of and on behalf of the database custodian, for fulfill the purposes of the latter.
Treatment: any operation or set of operations on personal data, such as the collection, storage, use, circulation, or deletion.
Ways to collect personal data: Conduit may know, collect, store, manage the data of the Owner of the data in accordance with the data use policy contained herein through the Conduit Places, including but not limited to following means: (i) mobile applications; (ii) websites; (iii) Conduit platform; (iv) Conduit products; (v) Conduit services; (vi) agreement, alliance, contract, or partnership with Conduit; and (vii) Conduit's third party providers, including but not limited to identity verification partners, financial service provider partners, and blockchain industry partners.
2. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA AND DATA PROTECTION
As established in legislation, the protection of personal data will be governed by the congruent and comprehensive application of the following principles:
• Principle of legality in the processing of personal data: processing of personal data referred to in legislation is a regulated activity that must be subject to what is established therein and the other provisions that develop it.
• Principle of adequacy: compatibility of the treatment with the purposes informed to the Owner, according to the context of the treatment.
• Principle of necessity: limitation of the treatment to the minimum necessary for the achievement of its purposes, with the scope of the pertinent, proportional, and not excessive data in relation to the purposes of the data processing.
• Principle of prevention: adoption of measures to prevent the occurrence of damages due to the processing of personal data.
• Principle of non-discrimination: impossibility of carrying out the treatment for discriminatory illicit or abusive purposes.
• Principle of accountability: demonstration, by the person responsible for the processing, of the adoption of effective measures capable of proving the observance and compliance with the personal data processing and protection regulations, including effectiveness of these measures.
• Principle of purpose: processing of personal data must obey a legitimate purpose in accordance with the applicable Laws, which must be informed to the Owner.
• Principle of freedom: processing of personal data can only be exercised with the prior, express, and informed consent of the Owner. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.
• Principle of truthfulness or quality: the data subject to treatment must be truthful, complete, exact, updated, verifiable and understandable. Processing of partial, incomplete, fractional, or misleading data is prohibited.
• Principle of transparency: in the processing of personal data, the right of the Owner to obtain from the person responsible for the treatment or the person in charge of the treatment, at any time and without restrictions, information about the existence of data regarding such person must be guaranteed.
• Security principle: the data subject to treatment by the person in charge of the treatment or person in charge of the treatment referred to in applicable Laws, must be managed with the technical, human, and administrative measures that are necessary to provide security to the records avoiding its adulteration, loss, consultation, use, or unauthorized or fraudulent access.
• Principle of confidentiality: all persons who intervene in the processing of personal data that are not public in nature are obliged to guarantee the reservation of the data, even after the end of their relationship with any of the tasks that comprise the treatment, being able only carry out supply or communication of personal data when this corresponds to the development of the activities authorized in legislation and in the terms of the same.
• Principle of access and restricted circulation: the treatment is subject to the limits that derive from the nature of the personal data, the provisions of applicable Laws. The treatment, therefore, can only be done by persons authorized by the Owner and/or by persons provided for in the law.
• Principle of proportionality: all processing of personal data must be adequate, relevant, and not excessive for the purpose for which the data was collected.
• Principle of adequate level of protection: for the cross-border flow of personal data, a sufficient level of protection must be guaranteed for the personal data to be processed or, at least, comparable to that provided by the applicable Law or by international standards on the matter.
3. HOW WE COLLECT DATA
The personal data we collect depends on the context of your interactions with us and our Places, the choices you make, and the products, services, and features you use.
The personal data we collect may include the following:
By automatically storing the data of the users who access the Conduit Places using cookies. Some of the data that can be stored automatically are the URL, the browser used, and IP address among others. ▪ by email communications
▪ through accessing Conduit’s websites and pages
▪ through access to mobile applications
▪ through access to platform or environments such as the Conduit sandbox
▪ creating username and password to access Conduit Places
▪ through telephone calls regardless of medium (apps, wired, wireless, etc.)
▪ through events held by Conduit or events attended by Conduit
▪ through the referral, transfer, or transmission by strategic allies or partners
▪ through agreements, applications, contracts, forms, or requests for information ▪ through service offers
▪ through the cooperation contract
▪ through service provision contracts
▪ through service portfolios
▪ through interfacing, regardless of the medium (apps, in person, telephone, video conference, etc.).
4. WHAT DATA DO WE COLLECT?
a. DATA YOU DISCLOSE AND/OR PROVIDE AND/OR AUTHORIZE US TO COLLECT
In sum: As noted above, Conduit only accepts legal persons as our clients, however, during the course of performing due diligence on our clients we collect data about certain natural persons affiliated or associated with our clients due to their professional or business capacity, when you visit our Places, that you provide to us, or when you communicate with us regardless of the medium used.
All personal data provided must be true, accurate, and complete. You must promptly notify us of any changes to keep such personal data accurate. The personal data we collect can include the following:
PERSONAL DATA CATEGORY | DATA REQUESTED AND/OR OBTAINED |
---|---|
IDENTIFYING DATA | legal name — any combination of given names and surnames |
tax identification number (e.g., RFC or Social Security Number) | |
EIN, TIN, CURP, CIF, CIEC, &/or proof of tax number or situation | |
photo identification (e.g., passport, driver’s license, INE) | |
e-signature / FIEL (e.firma) | |
location data (e.g., residential &/or mailing address, work address) | |
date of birth, birthplace | |
CONTACT DETAILS | email address(es) ⎯ work or personal |
telephone number(s) ⎯ work, personal, or mobile | |
EMPLOYMENT DATA | employer’s name |
employer’s economic activity | |
title at employer, employment details | |
employer’s details, including financial data, location(s), size, tax data, and contact details | |
ACADEMIC DATA | not applicable (N/A) |
SENSITIVE DATA | not applicable (N/A) |
BIOMETRIC DATA CREDENTIALS | government-issued photo identification |
personal photos and/or liveness video(s) | |
user ID(s) | |
password(s) | |
password hint(s) | |
authentication data | |
account access data |
b. DATA AUTOMATICALLY COLLECTED
In sum: Some data – such as IP address and/or browser and device characteristics – is collected automatically when you visit our Places.
We automatically collect certain data when you visit, use, or navigate our Places. This data does not reveal your specific identity (like your name or contact data) but may include device and usage data, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, data about how and when you use our Places and other technical data. In some countries and/or regions, this data is considered personal data under applicable data protection and/or privacy laws or regulations. Like many businesses, we also collect data about how your device has interacted with our Places, including the pages and products and services accessed, time spent on Places, and links clicked through cookies and similar technologies. This data is primarily needed to maintain the security and operation of our Places, your account security, anti-fraud measures, and for our internal analytics and reporting purposes.
c. DATA COLLECTED FROM OTHER SOURCES
In sum: We may collect data from public databases, marketing partners, social media platforms, and other outside sources to the extent permitted by applicable laws.
We may obtain data about you from other legally permissible sources, such as public databases, governmental databases, joint marketing partners, social media platforms, as well as from other third parties. Examples of the data we receive from other sources include: profile data (your name, gender, birthday, email, current city, state, country, user identification numbers for your contacts, profile pictures, URL, employer, employer’s address, employment title, employment contact data, social media followers,
employer’s size and status, and any other data that you choose to make public or accessible); marketing leads, search results, links, including paid listings (such as sponsored links).
5. HOW DO WE USE YOUR DATA?
In sum: The legal bases for using your data are legitimate business interests, the fulfillment of a contract with you and/or your employer, compliance with our legal obligations, and/or your consent.
We use data collected via our Places or from outside sources for a variety of business purposes that are legally permissible as described below. We process your data for the following purposes — our legitimate business interests, in order to enter into or perform a contract with you and/or your employer, with your consent, and/or for compliance with our legal obligations. We indicate the specific processing grounds we rely on for each purpose listed below.
We use the data we collect or receive: the personal data that Conduit collects are included in a database to which the authorized personnel of Conduit have access in the exercise of their functions, noting that in no case is the processing of the data authorized for purposes other than those described herein, and they are communicated to the Owner directly at the latest at the time of collection.
a. PRIMARY TREATMENT PURPOSES
▪ Facilitate account creation and logon processes. If you choose to link your third-party account (such as your Google account or LinkedIn account), we use the data you allowed us to collect from those third parties to facilitate and/or expedite account creation and logon processes. See Section 6. HOW WE HANDLE YOUR THIRD-PARTY ACCOUNT LOGINS below for further details.
▪ Send marketing and promotional communications. We and/or our third-party marketing partners may use the data you give to us for our own marketing purposes, if this is in accordance with your marketing preferences. You can opt-out of our marketing emails at any time.
▪ Send administrative information. We may use your data to send you account, product, service, and new feature details and/or information about changes to our terms, conditions, and policies.
▪ Fulfill and manage requests. We may use your data to fulfill and manage your requests, payments, returns, and exchanges made through our Places.
▪ Post testimonials. We post testimonials on our Places that may contain your data. Prior to posting a testimonial, we will obtain your consent to use your data. If you wish to update or delete your testimonial, please contact us at privacy@conduit.fi and be sure to include your name, testimonial location, and contact information.
▪ Deliver targeted advertising. We may use your data to develop and display content and advertising (and work with third parties who do so) tailored to your interests and/or location and to measure its effectiveness.
▪ Request feedback. We may use your data to request feedback and to contact you about your use of our Places.
▪ Protect our Places. We may use your data as part of our efforts to keep our Places compliant with the applicable Laws, safe, and secure (e.g., for AFC, fraud monitoring, and fraud prevention).
▪ Enforce our agreements, conditions, contracts, policies, and terms.
▪ Respond to legal requests and prevent harm. If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to best respond.
▪ Fulfill other business purposes. We may use your data for other business purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns, and to evaluate and improve our Places, products, services, marketing, and user experience.
b. SECONDARY TREATMENT PURPOSES
▪ Collect personal data, incorporate, and store in our databases.
▪ Classify, catalog, divide, separate, or sort the provided data.
▪ Use the data provided in communications, disclosures and promotion campaigns, or offer Conduit activities, products, and/or services.
▪ Maintain historical records and Owner contact details.
▪ Verify or validate the data provided.
▪ Study and analyze the data provided to monitor and improve products, services, and support. ▪ Deliver the personal data to third parties with whom Conduit contracts the storage and/or administration, pursuant to the applicable Laws.
▪ Transfer personal data internationally to servers any country.
▪ Communicate and permit access to all Owners’ personal data provided to third party providers who provide general support services to Conduit.
▪ Collect, maintain, manage, and use the data to control and prevent AFC.
▪ Execute, maintain, and manage business agreements, contracts, and proposals for the products and services provided by Conduit.
▪ Transmitting communications through any medium including, but not limited to, apps, messaging services, social networks, text messages, push notifications, email, phone call, etc., related to Conduit's commercial objectives, including marketing activities and/or handling Owner’s requests.
▪ Provide the Places, products, and services offered and/or agreed and/or contracted. ▪ Creation and administration of the client’s account.
▪ Provide the maintenance, development, and/or control of the commercial relationship between the client and Conduit, including all Owners resulting therefrom.
▪ Provide clients and/or Owners with the necessary information, including through Places, to formalize the relationship and usage of Conduit’s products and services.
▪ Carry out processes within Conduit, for operational development and/or systems administration purposes.
▪ Provide Conduit’s products and services, and respond to our (potential or actual) client’s needs, including maintaining or expanding or improving or iterating on our present products and services that result therefrom.
▪ Keep a historical record of the data, for the purposes of clients’ and Owners’ satisfaction, developing analysis of interests and needs to attempt or enable better products or services. ▪ Carry out market strategies by studying behavior towards various approaches including articles, advertising, or offers in attempts to improve content, products, services, and personalization. ▪ Preparation of commercial prospects, market segmentation, and the like.
▪ Carry out satisfaction surveys, offer benefits or recognition of benefits inherent to our clients, after sales service, rating the quality of our products and services, and providing support. ▪ Carry out the activities necessary to manage the requests, complaints, and claims of our clients, the Owners, or third parties; including directing them to the areas responsible for issuing responses. ▪ Present data and/or reports to the applicable regulatory authorities and process requests made by administrative or judicial bodies.
▪ Managing the accounting, economic, tax, and general administration of clients. ▪ Data retention by the terms established in the applicable Laws.
▪ Transfer or transmission of personal data nationally and/or internationally to third parties with whom Conduit develops activities in compliance with its commercial purposes. Including transmission or transfer to Conduit’s strategic allies to carry out marketing, advertising, and/or promotional activities associated with our commercial purposes.
▪ Sending data to data processors to facilitate and improve the quality of Conduit's products and services.
▪ Require our clients to have the authorization from Owners for the collection of personal data. ▪ Transfer and transmit personal data to Conduit’s third-party commercial partners that offer their products and services on Conduit Places to make efficient contact between the Owner and the commercial partner, in the terms of the applicable Laws.
▪ Access and consult your personal data in the credit and financial data centers, collect relevant data on credit behavior, and preserve, store, and use personal data to send commercial and advertising guidelines, and to contact in relation to matters of the Conduit business activities. This purpose corresponds to those Owners who expressly accept our offered products and services.
▪ Request or carry out consultancies, audits, or related services.
▪ Comply with the internal processes of Conduit in matters of administration. ▪ Improve Conduit’s operational development and/or systems administration. ▪ Make tax declarations or management of tax and tax collection data.
▪ Carry out, in accordance with the applicable Laws, reports to credit bureaus for non-compliance with financial obligations derived from business relationships.
▪ Carry out operations and procedures related to the generation and payment of invoices, issuance of certifications, accounting, etc.
▪ Compliance with the applicable Laws, legal duties, and obligations resulting therefrom.
For other purposes or treatment, prior, express, and informed authorization will be requested from the Owner.
6. WILL YOUR DATA BE SHARED WITH ANYONE?
In sum: We only share data with your consent, to comply with applicable Laws and legal obligations, to protect your rights, or to fulfill contracts and other business requirements.
We may process or share data based on the following legal principles:
▪ Consent: we may process your data if you have given us consent to use your data in a specific purpose.
▪ Legitimate business interests: we may process your data when it is reasonably necessary to achieve our legitimate business interests.
▪ Performance of an agreement or contract: where we have entered into an agreement or contract with you, we may process your data to fulfill the terms of that agreement or contract.
▪ Legal obligations: we may disclose your data where we are legally required to do so in order to comply with applicable Law, governmental or regulatory requests, a judicial proceeding, court order, or other legal processes, such as in response to an order or subpoena from a tribunal (including in response to regulatory authorities to meet national security or law enforcement requirements).
▪ Anonymized: we may disclose your data if it is anonymized. It will be subject to a procedure whereby personal data is decoupled from the data subject rendering the data shared incapable of being used or combined to identify the data subject.
▪ Vital interests: we may disclose your data where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our agreements, contracts, policies, applicable Laws, AFC, suspected fraud, situations involving potential threats to the health or safety of any person, illegal activities, or as evidence in litigation in which we are involved.
We may also process and/or share your data in the following situations:
▪ Vendors, consultants, and other third-party service providers: we may share your data with vendors, third-party service providers, contractors, or agents who perform services for us or on our behalf and require access to such data to do that work. Examples include account onboarding, identity verification, legal requirements, legal obligations, funds flows, payment processing, data analysis, email delivery, hosting services, client services, support services, and marketing efforts. We may allow selected third parties to use tracking technology on the Places, which will enable them to collect data about how you access and interact with the Places over time. This data may be used to, among other things, analyze and track data, AFC, fraud prevention, quality of certain content, or better understand online activity. Unless described in this Policy, we do not share, sell, rent, or trade any of your data with third parties for their promotional purposes.
▪ Business transfers: we may share or transfer your data in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
▪ Business partners: we may share your data with our business partners in order to offer you certain products, services, or promotions.
Conduit may share the information of the personal data with those third parties that are necessary for the development of its activities and commercial purposes, whilst always protecting the rights and data of the Owner. The transmission or transfer of personal data that is carried out will observe the applicable Laws and the supervisory authorities provide for such purposes.
In the case of domestic (intranational) transfers of personal data, Conduit will ensure compliance with applicable Laws of current data protection legislation and protection measures by the person in charge or new controller.
If it is an international transfer, we make sure that the recipient party and its country receiving the personal data provides adequate levels of protection.
When the receiving country does not comply with the appropriate data protection standards, the transmission or transfer will be prohibited unless one of the following legal exceptions is configured:
▪ That the Owner has given express and unequivocal authorization for the transfer or transmission of their data, which by providing such personal data to Conduit is inherent in such provision and as set forth in this Policy and Notice.
▪ Exchange of medical data when required by the Owner's treatment for health and public hygiene reasons.
▪ Financial (e.g., fiat or cryptocurrencies) or stock transfers, in accordance with the applicable Laws. ▪ Transfers agreed in the framework of international treaties to which the country of origin is a party, based on the principle of reciprocity.
▪ Transfers necessary for the execution of a contract between the Owner and the person responsible for the treatment, or the execution of pre-contractual measures if there is authorization from the Owner.
Please note that our servers are in the US; meaning they may be located outside of the country in which the Owner is domiciled and the Owner’s personal data, therefore, may be transmitted internationally to the US. This means that the Owner’s personal data may be transferred to and processed in countries other than the country in which the Owner resides. Data protection laws may be different in the US and other
countries than in your own country and, in some cases, may be less protective. Please be assured that we take appropriate steps to ensure that your personal data is protected in accordance with this Policy.
7. WITH WHOM WILL YOUR DATA BE SHARED?
In sum: We only share data with the following categories of recipients:
▪ Our own group of companies, third-party service providers, product content providers, and partners;
▪ Law enforcement bodies, regulators, governmental agencies, courts and tribunals, legal proceedings, or other regulatory or governmental entities with relevant powers; and
▪ Any other third parties in which you have provided specific consent.
8. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store data. Cookies are small text files that are stored on your browser or device by websites, apps, online media, and advertisements that are used to remember your browser and/or device and/or IP address during and across website visits. Cookies are widely used by website owners to make their websites more efficient, as well as to provide reporting data. Pixels, which are also called web beacons, are small blocks of code installed on, or called by, a web page, app, or advertisement which can retrieve certain data about your device and browser, including the device type, operating system, browser type and version, website visited, time of visit, referring website, IP address, advertising identifiers, location, and other similar data that uniquely identifies your device. Pixels enable the ability to recognize when someone has visited a website or opened an email and allows monitoring the traffic patterns of users within websites, delivery or communication with cookies, determining whether a user has come to a website from an online advertisement displayed on a third-party website, to improve website performance, to measure the success of email marketing campaigns, and to set and read browser cookies from third-party domains and collect data about visitors to that domain, typically with the permission of the domain owner.
a. Can you control cookies?
In sum: Yes, in certain jurisdictions, such as California, Mexico, the EU, and the UK, data subjects may have the right to choose whether or not to accept cookies and/or pixels. Cookies and/or pixels may be an important part of how our Places work. You should be aware that if you choose to refuse or remove cookies and/or pixels, this could affect your ability to access and use our Places.
Most web browsers are configured to accept cookies and/or pixels by default. You can generally configure your browser to remove or reject browser cookies and/or pixels. If interested, follow the instructions provided by your browser, which are usually located in the “help” or “preferences” menu. Some third parties also provide the ability to refuse their cookies and/or pixels directly by clicking on an opt-out link.
Please be aware that removing or rejecting browser cookies or pixels does not necessarily affect third-party cookies or pixels. For more information about cookies, including how to see which cookies have been set on your device and how to manage or delete them, visit https://youronlinechoices.com/, or https://www.youronlinechoices.eu for EU visitors.
For mobile users, your device’s operating system provides controls that enable you to choose whether or not to allow cookies or share your unique identifier with companies like us or our third-party providers. For information on controlling your mobile choices, visit https://www.networkadvertising.org/mobile-choices.
To help control or block certain ads in mobile applications, you can download and utilize the DAA mobile app, which is available at https://youronlinechoices.com/appchoices.
In addition, many advertising networks offer you a way to opt out of targeted advertising. If you would like to find out more information, visit http://www.aboutads.info/choices/.
b. Can you control Do-Not-Track features?
In sum: Yes, most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (DNT) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected.
No uniform technology standard for recognizing and implementing DNT signals has been finalized, however. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Policy.
9. HOW DO WE HANDLE YOUR THIRD-PARTY ACCOUNT LOGINS?
In sum: If you choose to share access to your social media accounts and/or other third-party accounts, we may have access to certain data about you.
Our Places may offer you the ability to share access to your third-party social media account details (like your Google or LinkedIn logins) and/or other third-party accounts. Where you choose to do this, the providers will send us certain profile data about you, not access into your account. The profile data we receive will vary depending on the provider, but will often include your name, date of birth, email address, friends list, profile picture, as well as other data you choose to make public and/or is contained within that account.
We will use the data we receive only for the purposes that are described in this Policy or that are otherwise made clear to you on our Places. Please note that we do not control, and are not responsible for, other uses of your data by your third-party social media providers or other third-party accounts. We recommend that you review their respective privacy policy to understand how they collect, use and share your data, and how you can set your privacy preferences on their sites and apps.
10. HOW LONG AND WHERE DO WE KEEP YOUR DATA?
In sum: We only keep your data, which are stored on servers located in the US, for as long as necessary to fulfill the purposes outlined in this Privacy Policy. Our retention requirements vary, depending on jurisdictional requirements; however, for more details please see the information provided in Section 1. Definitions in Data retention.
We will only keep your data for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by applicable Law (such as AFC, tax, accounting, etc.).
When we have no ongoing legal requirements or legitimate business need to process your data, we will either delete or anonymize it, or, if this is not possible (for example, because your data has been stored in backup archives), then we will securely store your data and isolate it from any further processing until deletion is possible.
As noted in multiple locations throughout the Policy, our servers are in the US, which may be located outside the country in which the Owner resides. Our group companies, third-party service providers, and partners, with whom we may share your data as outlined in this Policy, are located in and transfer data to various jurisdictions around the world. This means that your data may be transferred and processed in countries other than the country in which you reside. The data protection laws may be different in these countries versus your own country and, in some cases, may be less protective. Be assured, we take appropriate measures to ensure that your data is protected in accordance with this Policy.
For further information about retention time periods or international data transfers, contact us at privacy@conduit.fi.
11. HOW DO WE KEEP YOUR DATA SAFE?
In sum: We aim to protect your data through a system of organizational and technical security measures.
We have implemented appropriate technical and organizational security measures designed to protect the security of any data we collect and process, which are designed to provide a level of security appropriate to the level of risk presented; however, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your data, transmission of data to and from our Places is at your own risk. You should only access our Places within a secure environment.
12. DO WE COLLECT DATA FROM MINORS?
In sum: We do not knowingly collect data from or market to natural persons under 18 years of age.
We do not knowingly solicit data from, or market to, natural persons under 18 years of age. By using our Places, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to you minor’s use of the Places. If we learn that data from Owners less than 18 years of age has been collected without authorization from the parent or guardian, we will deactivate the minor’s access and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from natural persons under age 18, please contact us at privacy@conduit.fi.
13. WHAT ARE YOUR DATA PRIVACY & PROTECTION RIGHTS?
In sum: Depending on your domicile, you may have certain data rights. To learn more about your rights or to exercise any of your rights please consult the information referred to in sections 14 to 21 or contact our Privacy team through the communications methods provided in Section 24.
In certain locations you may be a data subject and have some of the following data rights, which can be exercised through the communications methods provided in Section 24:
▪ Right of access. You may have the right to access and receive copies of your data we hold and receive details about how and why we use your data.
▪ Right to request proof of the authorization granted for the treatment. You may request the person in charge to allow you to know about the record where the consent you granted for the processing of your personal data is recorded.
▪ Right of portability. You may have a right to obtain your data for your own purposes, including so that you can provide or “port” that data elsewhere.
▪ Right of erasure. You may have the right to request us to delete the data we hold about you. We may also pass your requests on to other third parties to which we have shared your data.
▪ Right to exercise your rights without discrimination. You may have the right to exercise these rights without being discriminated against.
▪ Right to file a complaint. You may have the right to complain to your applicable data protection authority about our collection and use of your data.
▪ Right to not participate. If you do not agree with us collecting your data, you can inform us of your choice not to participate.
▪ Right to opt-out and/or revoke. You may have the right to revoke your consent to us collecting and/or processing your data and/or stop marketing communications and/or opt-out of participating and receiving future marketing communications, even if our reasons are based on legitimate business interests. You may also have the right to opt out of other processing activities. For email marketing communications, where applicable, click on the “unsubscribe” link found in those emails. To opt-out of other activities, you may note your preferences when going through the registration process or by accessing your account and updating your preferences.
▪ Right to correct. You may have the right to have us correct any inaccurate or incomplete personal data.
▪ Right to restrict. In certain circumstances you may be able to request that we restrict collecting and/or processing your data. Contact us to learn more about the circumstances in which this right exists at privacy@conduit.fi.
▪ Right to appoint others. Certain locations permit you to appoint someone else to act on your behalf. Typically, this is done through a document such as a power of attorney. If your domicile allows this, please understand that we will require this appointed person to provide proof of such appointment, which may include you verifying your identity directly with us and/or our third-party identity verification partner.
▪ Right to confidentiality. You have the right to have your personal data protected in a manner appropriate to its degree of confidentiality.
▪ Right to anonymization, blocking or deletion. You have the right to have your personal data anonymized, blocked, or deleted of unnecessary, excessive, or processed data in contravention of the provisions of the applicable Law.
▪ Right to obtain confirmation of existence of treatment. At any time and upon request, you have the right to obtain from the person responsible for the treatment, in relation to the data of the Owner processed by such person, the confirmation of the existence of treatment.
a. UPDATING OR EDITING ACCOUNT DATA OR CLOSING AN ACCOUNT
You can review or change the data pertaining to you in your account by contacting us at privacy@conduit.fi or, if available, by logging into your account with us and updating your user data.
If you close your account with us, we will deactivate your account and certain data from our active databases; however, some data will be retained in our systems for AFC, to prevent fraud, troubleshoot problems, assist with any investigations, enforce our agreements and contracts and policies and procedures, and/or comply with the applicable Laws and/or legal requirements.
14. DO ARGENTINIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Argentina, you are granted specific rights regarding access to your personal data.
Argentinian Law No. 25,326 (the Personal Data Protection Act or “PDPA”) focuses directly on data protection. The PDPA defines several data protection-related terms and includes general principles regarding data collection and storage, outlining the Owner's rights and setting out the guidelines for the processing of personal data.
To understand your rights, please review the PDPA in this link http://www.jus.gob.ar/media/3201023/personal_data_protection_act25326.pdf
If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
15. DO BRAZILIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Brazil, you are granted specific rights regarding access to your personal data.
Brazilian regulation, Law 1581 of 2012, Decree 1074 of 2015, Law 962 2005 and Law 1480 from 2011 sets forth the rights of Brazilian residents regarding their personal data held by private parties such as Conduit.
To understand your rights, please review the Regulations in this link http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709compilado.htm
If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
16. DO CALIFORNIA RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of the State of California in the US, you are granted specific rights regarding access to your personal data.
California Civil Code Section 1798.83, also known as the “Shine The Light” law, or the California Consumer Privacy Act of 2018 (SB-1121), may permit our clients who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal data (if any) we disclosed to third-parties for direct marketing purposes and the names and addresses of all third-parties with which we shared such personal data in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided.
If you are under 18 years of age, reside in California, and have a user account with our Places, you may have the right to request removal of unwanted data. To request removal of such data, please contact us using the communications methods provided in Section 24 and include the email address associated with your account and a statement that you reside in California. We will make sure your data is not publicly displayed on our Places, but please be aware that your data may not be completely or comprehensively removed from our systems due to applicable Laws and/or other requirements.
17. DO CANADIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Canada, you are granted specific rights regarding access to your personal data.
The Personal Information Protection and Electronic Documents Act (PIPEDA) sets forth the rights of Canadian residents regarding their personal data held by private parties such as Conduit. To understand your rights, please review the Regulations via this link https://laws-lois.justice.gc.ca/eng/acts/P-8.6/. If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
18. DO CHILEAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Chile, you are granted specific rights regarding access to your personal data.
Chilean regulation, Law 19628 sets forth the rights of Chilean residents regarding their personal data held by private parties such as Conduit. To understand your rights, please review the Regulations in this link https://www.bcn.cl/leychile/navegar?idNorma=141599. If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
19. DO COLOMBIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Colombia, you are granted specific rights regarding access to your personal data.
Colombian regulation, Law 1581 of 2012, Decree 1074 of 2015, Law 962 2005 and Law 1480 from 2011 sets forth the rights of Colombian residents regarding their personal data held by private parties such as Conduit. To understand your rights, please review the Regulations in this link https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=49981. If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
20. DO COTE D’IVOIRE RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Cote d'Ivoire (Ivory Coast), you are granted specific rights regarding access to your personal data.
Cote d’Ivoire Law No. 2013-450 on the Protection of Personal Data (Data Protection Act). Data Protection Act was enacted in 2013 to regulate the collection, processing, use, and storage of personal data in Cote d'Ivoire. The Data Protection Act aims to protect the privacy rights of individuals in Cote d'Ivoire by ensuring that their personal data is collected and processed fairly, lawfully, and transparently. To understand your rights, please review the Data Protection Act in this link http://www.ilo.org/dyn/natlex/docs/ELECTRONIC/104182/126984/F366961585/CIV-104182.pdf or English in this link https://dataprotection.africa/wp-content/uploads/2022/09/Cote-dIvoire_DPA.pdf. If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
21. DO EU AND UK RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of the EU or the UK, you are granted specific rights regarding access to your personal data.
The European Commission’s General Data Protection Regulation (EU GDPR) sets forth the rights of EU residents regarding their personal data held by others, such as Conduit. The UK’s Data Protection Act 2018, which tailors its General Data Protection Regulation (UK GDPR) and sets forth the rights of UK residents regarding their personal data held by others, such as Conduit. To understand your rights, please review the information provided via the hyperlinks above. If you are a resident of the EU or the UK and wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
22. DO MEXICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Mexico, you are granted specific rights regarding access to your personal data.
Mexico’s Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties sets forth the rights of Mexican residents regarding their personal data held by private parties such as Conduit. To understand your rights, please review the Regulations via the hyperlink above. If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
At any time, you can exercise the rights enumerated therein (your ARCO rights) by sending such a request through the communications methods provided in Section 24. Your request must contain (i) your full legal name (all given names and surnames) and contact information (email address, mobile phone number, primary residential address), (ii) documentary evidence that proves your identity (or we may require you to verify your identity with our third-party identity verification partner), or the items outlined in the second to last bullet point of Section 13 Right to appoint others, (iii) a clear description of the right(s) you wish to exercise, (iv) any other evidence or details that support your request, and (v) if you’re seeking the Right to correct, evidence that supports your request.
23. DO MONTANA RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of the State of Montana in the US, as of 1 October 2024, you are granted specific rights regarding access to your personal data.
The Montana Consumer Data Privacy Act (MCDPA), SB0384 enacted by the 68th Legislature 2023, sets forth the rights of Montana residents regarding their personal data held by private parties if the private party controls or processes the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controls or processes the personal data of not less than 25,000 consumers and derives more than 25% of gross revenue from the sale of personal data. To understand your rights, please review the MCDPA in this link https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf. If Conduit would qualify under (a) or (b) above and you wish to assert any of your personal data rights on or after 1 October 2024, please contact our privacy team through the communications methods provided in Section 24.
24. DO NIGERIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Nigeria, you are granted specific rights regarding access to your personal data.
The Nigeria Data Protection Regulation 2019 (NDPR) was enacted by the National Information Technology Development Agency (NITDA) to regulate the collection, use, storage, and sharing of personal data by data controllers and processors in Nigeria. To understand your rights, please review the NDPR in this link https://ndpb.gov.ng/Files/NigeriaDataProtectionRegulation.pdf and the NDPR implementation framework established by NITDA in this link https://nitda.gov.ng/wp-content/uploads/2021/01/NDPR-Implementation
Framework.pdf. If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
25. DO PERUVIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of Peru, you are granted specific rights regarding access to your personal data.
Peruvian regulation, Law 29733 and Law 27444 sets forth the rights of Peruvian residents regarding their personal data held by private parties such as Conduit. To understand your rights, please review the Regulations in this link https://www.minjus.gob.pe/wp-content/uploads/2013/04/LEY-29733.pdf and http://www.pcm.gob.pe/wp-content/uploads/2013/09/Ley-de-Procedimiento-Administrativo-de
PersonalLey27444.pdf. If you wish to assert any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
26. DO SOUTH AFRICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS?
In sum: Yes, if you are a resident of South Africa, you are granted specific rights regarding access to your personal data.
The South African Protection of Personal Information Act (POPIA) was signed into law in 2013, and became fully operational on 1 July 2021. POPIA is designed to regulate the processing of personal information in South Africa and to protect the privacy rights of individuals. It establishes principles for the collection, use, and storage of personal information by organizations and gives individuals the right to access and control their personal information. To understand your rights, please review the POPIA in this link https://www.gov.za/documents/protection-personal-information-act. If you wish to asset any of your personal data rights, please contact our privacy team through the communications methods provided in Section 24.
27. DO WE UPDATE THIS POLICY?
In sum: Yes, we update this Policy as necessary to stay compliant with applicable Laws.
We may update this Privacy Policy from time to time. The updated version will be indicated by the “Last updated” date at the beginning of the Policy and the updated version will be effective as soon as it is accessible. If we make material changes to this Privacy Policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your data.
Conduit has the right to modify this Privacy Policy at any time. On top of posting it on our websites, we may inform you that we have updated this Policy by emailing you, if we have your email address.
28. HOW TO CONTACT US ABOUT THIS POLICY?
Regarding the exercise of your personal data protection rights as Owner (including the Owner’s successors, legal representatives and / or proxies (collectively included within in the definition of “Owner”)) Conduit will enable access channels for the Owners.
All communications, queries, complaints and / or claims must be directed to Conduit by any of the following means:
Electronic attention: The Owner may make a request to the following email: privacy@conduit.fi.
Written attention: The Owner may make a request to Conduit Technology, Inc. at the following address: 1001 S Main Street, Suite 4080, Kalispell, Montana 59901, United States of America.
If you have questions or comments about this Policy, you may contact our Chief Legal & Compliance Officer, Mark Graves, who is the head of our Privacy team by email at the address provided above.
29. DO WE TREAT SENSITIVE PERSONAL DATA?
Conduit will not collect, store, or process sensitive data, unless strictly necessary. If such a situation arises, it will not carry out any treatment without the due prior, informed, and express authorization of the data Owner, and only in the following cases:
When the Owner or his legal guardian consents, specifically and prominently, for specific purposes. Without giving the consent of the Owner, in cases where it is essential:
▪ compliance with a legal or regulatory obligation by the data controller.
▪ shared treatment of the data necessary for the execution, by the public administration, of the public policies established in the laws or regulations.
▪ carry out studies by a research body, ensuring, whenever possible, the anonymity of sensitive personal data.
▪ regular exercise of rights, including in contracts and in judicial, administrative, and arbitration processes.
▪ protection of the life or physical safety of the Owner or a third party.
▪ health protection, exclusively, in a procedure performed by health professionals, health services, or health authorities.
▪ guarantee of fraud prevention and security of the Owner, in the processes of identification and authentication of the record in electronic systems, safeguarding the rights referred to in the Legislation and, except in the case in which the fundamental rights and freedoms of the Owner prevail, require the protection of personal data.
▪ When the treatment is necessary to safeguard the vital interest of the Owner and he is physically or legally incapacitated.
▪ When an anonymization or disassociation procedure has been applied.
▪ When there is a norm for the promotion of competition in regulated markets issued in the exercise of the normative function by the regulatory bodies referred to in Peruvian Law 27332, Framework Law of the Regulatory Bodies of Private Investment in Public Services, or the to take its place, provided that the information provided is not used to the detriment of the Owner's privacy.
▪ When the treatment is carried out during legitimate activities and with the due guarantees by a foundation, non-governmental organization, association, or any other non-profit organization, whose purpose is political, philosophical, religious, or union, provided that they refer exclusively to their members or to people who maintain regular contacts by reason of their purpose, in which cases, the data may not be provided to third parties without the authorization of the Owner.
▪ When the treatment refers to data that are necessary for the recognition, exercise, or defense of a right in a judicial process.
▪ When the treatment has a historical, statistical, or scientific purpose. In this event, the measures leading to the suppression of the identity of the Owners must be adopted.
The answers to the questions about sensitive data are optional, therefore, they will not be mandatory. In any case, Conduit will strictly observe the legal limitations on the processing of sensitive data. Conduit, will not condition, in any case, any activity to the delivery of sensitive data. Sensitive data will be treated with the greatest possible diligence and with the highest security standards. Limited access to sensitive data will be a guiding principle to safeguard the Owner’s privacy and, therefore, only authorized personnel may have access to this type of data.
Sensitive data may not be processed for purposes other than those expressly authorized by the Owner.
30. HOW WE TREAT THE PERSONAL DATA OF OUR EMPLOYEES
Conduit is responsible for the treatment of the personal data that you provide from your selection process, recruitment and, where appropriate, if the selection process is successful, when the employment relationship begins and until it concludes, regardless of the cause. The personal data collected will be processed in order to integrate the file as an applicant or candidate or employee or contractor or consultant or agent at the service of Conduit (collectively referred to as “employees”), prove your identity, location, carry out selection and recruitment, administrative and tax procedures, cover the job profile, pay salaries and benefits, assign and verify travel expenses and domestic and international travel tickets, integrate billing, be insured on Social Security or other similar governmental obligations or benefits, designate beneficiaries in terms of the Labor Laws, receive all kinds of legal and extra-legal benefits, control attendance and grant benefits of social security, economic, in-kind, and health benefits; and schedule training actions. It is made known to you that Conduit, in addition to the transfers that you make and that do not require your consent, may carry out the transfer of your personal data for the legal purposes that may arise due to the selection and recruitment process to which you are subjected or the individual employment relationship once you have signed the respective agreement; for all extraordinary transfers we will require your consent, therefore, if you do not want your personal data to be transferred for any or all of the purposes indicated, from this moment forward you can communicate the above, omitting the electronic signature of this notice or using the communications methods provided in Section 24; however, please understand that your refusal to allow such transfers shall also mean that Conduit will be incapable of hiring you or continuing to keep you as an employee depending on the timing of your notification to Conduit.
TO BE CLEAR: if you notify Conduit that you do not want your personal data to be transferred while employed by Conduit, this shall be considered as your written voluntary resignation notification from your employment with Conduit. If you do not express your refusal for said transfers, we will understand that you have given us such consent.
Likewise, at any time you can exercise your data protections rights contact our Privacy team through the communications methods provided in Section 24.