INDEXO Group Privacy Policy
ABOUT US
The aim of this privacy policy is to inform you about personal data processing performed by INDEXO Group companies in Latvia (hereinafter referred to as INDEXO or we/our), namely:
IPAS “Indexo”, uniform registration number: 40203042988, address: Elizabetes iela 13-1A, Riga (hereinafter referred to as the Administrator) is a licenced investment management company offering low-cost pension plans in Latvia;
Indexo Atklātais Pensiju Fonds AS, uniform registration number 40203248944, address: Elizabetes iela 13-1A, Riga (hereinafter referred to as the Pension Fund) is a licenced private pension fund offering private pension plans;
AS INDEXO Banka, uniform registration number: 40203448611, address: Elizabetes iela 13 – 1A, Riga (hereinafter referred to as the Bank) is a bank offering banking and finance services.
This Privacy Policy applies to existing and potential customers who use INDEXO services, as well as other persons, for example, parties having expressed a wish to receive INDEXO services or commercial notices.
INDEXO hereby informs that for the purposes of the Regulation it is deemed to be a controller with regard to processing of your personal data, whereby your personal data controller is the company of INDEXO Group to whom you have submitted your personal data or whose services you (or the legal person or entity whose beneficial owner or representative you are) use or plan to use and who determines the purposes and means of personal data processing. The legal details of the particular controller will be revealed, for example, when entering into agreements with the respective INDEXO Group company or you can clarify them by addressing us.
Konkrēta pārziņa juridiskā informācija būs redzama, piemēram, slēdzot līgumus ar attiecīgo INDEXO grupas uzņēmumu vai Jūs to varat precizēt, sazinoties ar mums.
Please see information about cookies in our cookie policy.
DEFINITIONS
Processing – any operations we perform with our personal data, for example, including, but not limited to collection, registration, storage, viewing, use, disclosure of your personal data by sending, disseminating or otherwise making them available, as well as approval, deletion or destruction thereof.
Automated decision-making – making decisions without human participation (i.e. making a decision using only technical means), among other, profiling, which causes legal or similar significant impact on the Customer.
Data subject – is any identifiable live natural person whose personal data are being processed by INDEXO Group company.
Group – IPAS “Indexo”, Indexo Atklātais Pensiju Fonds AS and AS INDEXO Banka, as well as other directly controlled companies.
Customer – a person who uses or wishes to use INDEXO Group services and has expressed such a wish.
App – INDEXO mobile application where you can receive INDEXO services.
Personal Data – any information that refers or might refer to you, for example, your name, surname, personal number, address, telephone number, electronic mail address, any economic or other conduct characteristic to you.
Consent – any confirmation willingly and knowingly presented by you whereby you consent to Processing of your Personal Data for a particular purpose.
Profiling – use of your Personal Data for the purpose of assessment of your personal conduct, especially through analysing or predicting conduct related to your economic situation, personal preferences, reliability, behaviour, location.
Regulation – Regulation (EU) 2016/679 of the European Parliament and of the Council (27.04.2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
WE CARE ABOUT YOUR PRIVACY
The aim of this Privacy Policy is to inform you in a clear and understandable manner about your rights and about why and how INDEXO uses your personal information, i.e. Personal Data.
Personal Data is any information that may be used to identify a natural person. We have relevant measures in place to ensure that your Personal Data are safe and to ensure that processing of your Personal Data is compliant with the applicable Personal Data protection laws and regulations. We undertake to protect your personal information and ensure confidentiality in all processes managed by INDEXO.
When processing your Personal Data it is important for us to ensure transparency and clarity therefore we have specified in this Privacy Policy eventual purposes and bases for the processing of your Personal Data. This policy also tells you what Personal Data INDEXO may collect about you and how we will use them. Also, this Privacy Policy contains information about your rights and how you can contact us to acquire additional information regarding processing of your Personal Data and any aspects of exercising of the rights pertaining to you.
A necessity might arise for use to update the Privacy Policy from time to time. The valid version of the Privacy Policy will be published in the App and on our website. In case of significant changes you will be notified by other means, too.
The Privacy Policy may be translated into other languages. Should any discrepancy be detected between the versions in different languages and the Latvian version, the Latvian wording shall prevail.
WHAT PERSONAL DATA DO WE PROCESS?
According to the purposes indicated in this Privacy Policy and the scope necessitating thereof we process the following Personal Data categories:
Personal Data categories
| Identification data | for example, name, surname, personal number, date of birth, information indicated in the identification document (passport or identification card). |
| Contact information | information to contact you, place of residence address, postal address, telephone number, electronic mail address. |
| Financial data | for example, your monthly salary and other income, financial liabilities, source of income (means), information regarding transactions, debts and your assets (for example, financial instruments, real estate) information related to your credit history. |
| Account data | for example, a bank account number and payment card number. |
| Information related to your tax residency | country of your birth, residence, taxpayer number, nationality, tax residency place. |
| Employment data | for example, data about your employer/former employer, profession, experience, education, professional certificates, duration of service. |
| Information about family | for example, marital status, dependants and/or family members. |
| Data regarding the Customer’s financial experience | for example, data acquired from selection and provision of investment services and other products bearing investment risk, for example, data containing evidence of financial experience in trading. |
| Data regarding reliability and due diligence | for example, data regarding payment habits, damage or harm caused to INDEXO or other parties, data allowing INDEXO to perform customer due diligence with regard to laundering proceeds from crime and prevention of financing of terrorism and proliferation and verify compliance with international and national sanctions, aim of cooperation and whether the Customer is a politically exposed person, data regarding origin of assets and wealth, for example, data regarding the Customer’s business partners and business activities. |
| Data related to INDEXO services used by you | for example, type of INDEXO services used by you; assets you have deposited with INDEXO; your liabilities towards INDEXO; your account and card number; your opinion and assessment of INDEXO services; all data contained in any agreements entered into between you and INDEXO or data provided by you to us during the validity of such agreements; creditworthiness assessment data; your communication with INDEXO; your actions when using INDEXO App, internet bank, payment card data, etc.; as well as your personal data that we receive from State Social Insurance Agency in case you have chosen 2nd pension pillar investment plan administered by INDEXO. |
| Application analytical data | for example, which sections of the app you use most often or at which stage you have stopped to fill out some questionnaire. |
| Special category personal data | Laws and regulations determine types of special category Personal Data that we will process in case the law permits it. These special category Personal Data that reveal: race or ethnicity;religious or philosophical conviction;political beliefs;genetic and biometric data;health data,criminal record data. |
| Information regarding location | for example, place of a transaction, IP address, login location. |
| Information acquired about you from different public registers | for example, information INDEXO collects from publicly available registers as a part of service provision and Customer due diligence, for example, Population Register, the Bank of Latvia Credit Register, credit bureaus and credit history databases. |
| Data regarding habits, preferences and satisfaction | for example, activity of use of Services, used Services, personal settings, your preferences regarding sustainability, answers to questionnaires, Customer satisfaction, as well as hobbies and/or personal habits that may affect the Customer’s health condition and be assessed as a part of evaluation of risk factors within the framework of the insurance risk subscription process. |
FOR WHAT PURPOSES AND ON WHAT LEGAL GROUNDS DO WE PROCESS YOUR PERSONAL DATA?
We need to process your Personal Data in order to ensure INDEXO services and performance of other functions. We process them only when we have any one of the legal grounds indicated hereunder:
Fulfilment of an agreement is one of the main legal grounds according to which we process Personal Data for provision of Services. This includes processing necessary to perform certain actions upon your request prior to entering into the agreement, as well as for entering into, amending, fulfilling, maintaining and terminating the agreement.
Performance of a legal obligation is a legal grounds for processing pursuant to which we process Personal Data to comply with requirements of applicable laws and regulations.
Legitimate interest to process Personal Data is a legal grounds for processing of Personal Data in specific justified interests of the Data Controller or a third party as compared to your interests and rights as a Data Subject.
Public interest following from applicable laws and regulations is a legal grounds for processing if it is stipulated by regulatory enactments and is necessary to perform a task in the interests of the society. In such cases processing may be only performed to the extent specified in the applicable regulatory enactments, for example, to prevent laundering proceeds from crime.
Consent as legal grounds for data processing. In cases you grant your consent we will notify you separately about the purpose of processing the particular Personal Data. You may revoke your consent at any time.
Purposes of Personal Data processing
| Provision of our services | We process your Personal Data to ensure provision of services to you, including to: – examine you applications, submissions and requests and to identify you prior to entering into an agreement, for example, in cases where you wish to enter into an agreement with us or are interested in our services; – provide you with an opportunity to use our services remotely, for example, to ensure safe access to INDEXO App for you and verify your identity; – provide services to you according to valid agreements, for example, to execute your payment orders, issue a payment card for you and provide services related to card transactions, to ensure your access to the information about your savings with INDEXO bank and your transactions; – make use of our services more comfortable for you, for example, by providing you with access to the information on your accrued pension capital in INDEXO Private Pension Fund in the INDEXO App, ensuring for you reports on the results of operation on 2nd pension pillar investment plans administered by IPAS INDEXO, ensuring easier making of payments to persons whose contact information has been saved in your smart device; – ensure communication with you in relation to our services; – provide our services to you in a responsible manner and in compliance with the law, for example, to assess and monitor your creditworthiness when providing credit services, or to assess whether you have applied for a 2nd pension pillar investment plan suitable for you and to provide you information thereof; – examine you applications, complaints and objections; – ensure storage of your agreements, storage of information about your transactions, applications and other documents submitted to us, storage of records of your actions in the INDEXO App in our IT systems; – provide support for you in using our services, for example, to remind of a partly completed and unconfirmed customer questionnaire; – ensure provision of our services to another person in case you are a representative or contact of that person. |
| Improvement of our services | We process your Personal Data to ensure that our services meet the needs of our customers and to ensure development and improvement of our services, among others, to: – analyse and assess your use of our services and products and to collect statistics regarding our customer behaviours and then develop our services according to our customer range; – offer services tailored to you; – learn your opinion regarding our services and products, for example, through customer surveys; – make information on our services convenient and understandable for you. |
| Risk management and safety | We process your Personal Data to ensure management of our business risks thus protecting interests of our customers, shareholders and the society and ensuring sustainability of our business, among others, to: – monitor performance of customer credit obligations; – monitor customer transactions; – ensure management of the risk of fraud; – ensure safety of our IT systems and software; – ensure management of risks related to capital sufficiency and liquidity, and to services and market; – ensure management of other risks related to customers, transactions and our business. |
| Marketing and customer engagement | We process your Personal Data to inform you about our services and products and to facilitate your engagement, among others, to: – offer our services and products to you and inform you about new services and products, including via social networks; – personalise your experience so that you would receive marketing information of interest specifically to you; – promote our services, for example, by organising customer events, service promotion campaigns, including raffles and lotteries. |
| Compliance with statutory requirements | We process your Personal Data to ensure compliance with statutory requirements, among others, to: – comply with statutory requirements regarding prevention of laundering of proceeds from crime and terrorism and proliferation; – ensure compliance with national and international sanctions; – ensure performance of statutory requirements regarding the assessment of customer creditworthiness; – ensure performance of statutory requirements in the field of payment services; – ensure performance of statutory requirements with regard to verification of the correspondence of the 2nd pension pillar investment plan to the customer’s age and needs; – comply with requests and orders of public authorities and officials, for example, law enforcement authorities and officials, courts, custody courts, notaries, supervisory authorities, tax authorities; – submit reports, statements and other information to persons specified in regulatory enactments in cases stipulated in regulatory enactments, for example, Latvian and foreign tax authorities, supervisory authorities, the Bank of Latvia Credit Register; – ensure compliance with accounting and record keeping requirements. |
| Protection of our legitimate interests | We process your Personal Data to protect our legitimate interests, among others, to: – ensure our defence in legal disputes; – collect debts; – assign our rights of claim; – ensure storage of documents and data justifying our rights and obligations, including agreements, other documents and correspondence. |
| Implementation of corporate decisions | We may process your data to implement our corporate decisions which might be made in the interests of our shareholders or in pursuit of our corporate and commercial objectives, among others, to: – reorganise INDEXO Group companies; – attract investors and capital or transfer business or capital instruments; – issue debt financial instruments. Personal Data in such cases are processed only to the extent necessary to ensure respective transactions and decisions according to statutory requirements and existing market practice. |
FROM WHAT SOURCES DO WE COLLECT PERSONAL DATA?
You as a data subject
INDEXO collects your Personal Data directly from you as a data subject, for example, when you:
- apply for products and services;
- contact us via mail, email, telephone (with audio or without audio recording), using chat or personally face-to-face;
- make an appointment for consultancy;
- use our products and services;
- submit queries, suggestions and complaints.
With your consent we collect your personal data from you in informative seminars, conferences, etc. Personal data are collected when you apply for these events on our website or when completing registration forms or contact cards during events, as well as from questionnaires.
Resulting from a process
- Personal data are created during an operation, for example, making payments, using products and services, authenticating in the App and using it.
Received from other persons, business partners
- person (participant of a pension plan) who has entered into an agreement with us and has indicated you in the agreement as a payer or a person entitled to receive the accrued supplementary pension capital in case of the death of the participant;
- your employer who has entered into a collective participation agreement with us;
- our business partners who provide you with information about us, carry our market research or provide services within loyalty programme frameworks;
- we may receive your Personal Data from other payment institutions and banks, for example, when executing payment orders;
- we may receive your Personal Data from companies that provide identity verification services in order to prevent attempts of fraud and ensure compliance with laws and regulations;
- we may receive your Personal Data from public authorities, for example, when receiving a particular request related to investigation;
- we may receive your Personal Data from third parties for the purpose of customer due diligence and provision of services.
Public and private registers
- in specific cases INDEXO may collect data from public registers and databases, for example, Lursoft;
- we may collect your Personal Data from credit bureaus during creditworthiness assessment process according to the procedure stipulated by the law.
WITH WHOM ARE YOUR PERSONAL DATA SHARED?
INDEXO Group Companies
To provide you with better services and send information about products and services which may be of interest to you we share your Personal Data among INDEXO Group companies.
Also, in certain cases exchange of Personal Data may be for other purposes, for example, where it is necessary for financial records, auditing or risk assessment.
Service providers and business partners
In order to be able to fulfil our obligations, as well as to ensure performance of services and supervision control it may be necessary for us to provide information containing your Personal Data to our business partners. For example:
- our providers of IT, cloud, payment and other services;
- our financial services and payment network partners, Visa among others;
- card production, personalisation and delivery companies;
- credit bureaus and other institutions involved in providing crediting services;
- providers of insurance services;
- debt collection agencies for debt management and recovery.
Should you require particular information regarding our business partners, please contact INDEXO.
We carefully verify all service providers who process your Personal Data for and on behalf of us. We assess whether Personal Data processors apply adequate safety measures so that processing of your Personal Data is in line with our assignments, directions, instructions and statutory requirements. These companies are not entitled to use your Personal Data for any other purposes.
Law enforcement authorities, state and municipal authorities
In order to comply with statutory obligations we may share your Personal Data with law enforcement authorities (for example, the police, prosecutor’s office, financial investigation service) as well as state and municipal authorities upon justified requests from such authorities. We may also share your Personal Data with law enforcement authorities (for example, courts) as well as state and municipal authorities to protect our legitimate interests when preparing, filing and defending legal claims.
With supervisory authorities (Bank of Latvia, Consumer Rights Protection Centre, Data State Inspectorate, State Revenue Service and other authorities) on the grounds of written requests or in cases of obligations imposed on use by laws and regulations.
Other recipients of the specifically provided service
- Payment beneficiaries
To comply with statutory requirements INDEXO Bank is obliged to enter certain additional information when making a payment. This means that in cases you make a payment from your account we will share your information with the recipient (for example, name, surname, account) together with the payment. By analogy, the other way round – when you receive an incoming payment you will see the data of the payer.
In specific exceptional cases, where a payment has been transferred to your account by mistake, we may share your data with the financial institution or the user who made the erroneous payment in order to recover it by themselves.
We share data of the customers who use crediting services with credit bureaus or other institutions in the manner stipulated by laws and regulations.
We may cooperate with other partners with an aim to improve our services. We will always ascertain that you understand how we and our partners process your data.
- “Open banking” services
You may allow other service providers access your account information or make payments on your behalf. Such service providers are also called “open banking service providers”.
- Pension funds
Should you wish to transfer your 3rd pension pillar supplementary pension savings to another pension fund, we will share your personal data related to your supplementary pension savings with the pension fund of your choice.
- App users
If you activated the option of being visible to other App users in the App, you as a user will be visible to the users who have stored your contact information in their device.
WHERE ARE YOUR PERSONAL DATA STORED?
In general your Personal Data are not processed in countries outside the European Economic Area except where it is necessary to carry out the customer’s order (for example, execution of a payment).
Sharing and processing of Personal Data outside EU/EEA or countries with relevant data protection level may take place where there are legal grounds for it, by applying standard contract clauses, as well as to perform a legal obligation, enter into or fulfil an agreement, or subject to your consent. In case such necessity arises, sharing of Personal Data will be in compliance with the Regulation and we will ensure specific procedures required for such Personal Data processing and ensuring of adequate level of protection.
FOR HOW LONG ARE YOUR PERSONAL DATA STORED?
Personal Data are stored:
- until completion of the obligation stipulated by the law (for example, the period of 5 years stipulated in the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing; 10 years according to the general period of statute of limitation);
- until achieving the specific purpose of processing;
- if processing is based on the consent, Personal Data are processed for as long as the consent is valid and is not withdrawn.
In particular cases telephone conversations may be recorded. In such cases you will be informed by means of a voice message. Telephone conversations are audio recorded with an aim to ensure and improve service provision quality by means of audio recordings, provide for evidence of transactions and communication with you.
A longer Personal Data storage period is permitted to protect INDEXO legitimate interests, for example, in case of lawsuits.
After the expiry of the storage period INDEXO will delete your Personal Data in a secure manner or make them unavailable (archiving) or unidentifiable so that they can no longer be related to you.
HOW DO WE PROTECT YOUR PERSONAL DATA?
INDEXO ensures, regularly reviews and improves protective measures to protect your Personal Data against unauthorised access, accidental loss, disclosure or destruction. For this purpose we apply modern technologies, technical and organisational requirements, including use of firewalls, antivirus software, encryption.
However, INDEXO recommends that you comply with general safety rules for using devices and the internet, as well as your private data (especially personal identification documents) protection and storage requirements. INDEXO shall not be held liable for unauthorised access to your Personal Data and/or loss of data where it is due to your fault or negligence.
In the event of your Personal Data security incident, where it causes especially high risk to your rights and freedoms, we will immediately notify you, if possible, or the information will be published on our website or in another available manner.
DO WE PERFORM PROFILING OR MAKE AUTOMATED DECISIONS REGARDING YOU?
INDEXO uses Profiling to prepare an analysis for advising you; Profiling may be also performed for making automated decisions, for example, credit assessment, risk management and monitoring of transactions to combat fraud, including automatic collection of data from databases, as well as performing preliminary assessment and making conclusions on whether you are eligible for our Services in line with statutory requirements.
Depending on the products or services that you use we may make automated decisions regarding you. That is, we use technologies to predict risks or results. We do this to improve our decisions, making them more effective and objective. At the same time in such cases you have the right to requests such a decision to be manually reviewed by an INDEXO employee.
Automated decision-making may be used in the following cases:
- to ensure opening an account and perform identity checks according to the principle of “know your customer”;
- to assess your financial capacity of returning loans and determine credit limits;
- to detect fraud and financial crime through account monitoring;
- the Pension Fund performs automated decision-making, including Profiling to select allocation between investing in company shares and bonds within the 3rd pension pillar based on your Personal Data (date of birth, desired retirement age) if you have chosen such a strategy;
- in certain cases, also within marketing activities, if you have agreed to receive tailored offers.
YOUR RIGHTS
The regulatory framework of data protection grants you a number of rights to affect processing of your Personal Data. To exercise these rights you are requested to submit a written application to us:
- personally at our registered office (have your passport or ID card with you);
- by sending an application as a document signed by a safe electronic signature and bearing a timestamp to [email protected];
- via the App.
INDEXO will identify you, namely, verify that you are the same person that you propose to be and will answer you within one month. Where necessary the abovementioned period of time may be extended for two more months considering the complexity and number of requests. INDEXO will inform you about any such extension and reasons of postponement within one month after the receipt of the request.
INDEXO provides such information free of charge. If requests are obviously unjustified or excessive, especially due to their regular repetition, INDEXO may either:
- claim a reasonable fee with consideration of administrative costs related to provision of information or communication or performance of the requested action;
- or refuse to fulfil the request.
Access to Personal Data
You have the right to request a confirmation from INDEXO of whether it processes your Personal Data and in such cases you may request issuance of a copy of the Personal Data being processed.
Correction of Personal Data
If you believe that information related to you is incorrect or incomplete you have the right to request INDEXO to correct it.
Withdrawal of consent
To the extent INDEXO processes your Personal Data subject to your consent you have the right to withdraw your consent to Personal Data processing. In such case INDEXO will cease processing of your Personal Data for the purpose for which you granted your consent. Please take into account that withdrawal of the consent will not grant you the right to contest lawfulness of data processing carried out by INDEXO prior to the withdrawal of your consent.
Deletion
In certain cases you have the right to request INDEXO to delete your Personal Data. However, please take into account that deletion of data is not possible in cases where processing of data follows from regulatory framework. After the data are no longer necessary for performance of specific functions, INDEXO will delete, archive or make the data unavailable/unidentifiable in another manner.
Processing restrictions and objections against data processing
In certain cases you have the right to request INDEXO to limit processing of your Personal Data. However, please take into account that limitation of processing is not possible in cases where processing of data follows from regulatory framework.
Automated individual decision-making, among others, Profiling
In certain cases you have the right not to be a subject of such decision which is based only on automated processing, including Profiling, which cause legal consequences with regard to you or has a similar significant impact.
Data portability
In certain cases you have the right to receive or transfer your Personal Data to another data controller. This right comprises only such data that you have submitted to INDEXO on the basis of your consent or agreement.
Right to address supervisory authority or the court
We highly value your privacy and urge you to contact INDEXO in cases of issues and concerns, however, if you believe that your Personal Data are processed in an inappropriate manner you have the right to address a supervisory authority or the court.
Information regarding supervisory authorities in the European Union is available here.
WHOM SHOULD YOU ADDRESS IN CASE OF QUESTIONS?
Should you have questions regarding Personal Data protection or interest in how we process your Personal Data, please notify our Data Protection Officer by sending a letter to the following mail address: INDEXO, Elizabetes iela 13-1A, Riga, LV-1010 or electronically to email address ([email protected]).
Version 2.0, valid from 16 July 2024*
*We have obtained a bank licence hence we have developed a new INDEXO Group Privacy Policy which explains personal data processing, including for banking operations. The new Privacy Policy does not change personal data processing principles and provisions applicable to our existing customers. Should you have any questions regarding this policy, please write to [email protected].
