努维账户 - 隐私政策

UAB Nuvei

最后修订：2023 年 2 月 7 日

1. 我们是谁？

UAB Nuvei（立陶宛）（以下简称 "Nuvei"、"公司"、"我们"或 "我们"）尊重我们的支付处理平台（以下简称 "平台"）、银行服务用户以及我们网站（account.nuvei.com）用户的隐私，并致力于保护用户在使用我们的平台、银行服务和/或网站（以下统称 "服务"）时与我们分享的个人数据。

在本公司隐私政策（下称 "隐私政策"）中，您 或 数据主体指个人数据由我们处理的任何人，"个人数据"指我们可以直接或间接识别您身份的任何信息或一组信息，例如您的姓名、电子邮件地址、电话号码等。我们根据《通用数据保护条例》第 2016/679 号（欧盟）（以下简称 "GDPR"）的规定、适用法案的要求以及当局的指示或内部规定处理个人数据。

本隐私政策旨在说明当您访问我们的网站（"网站访客"）时，当您使用我们的服务或其任何部分（"用户"）时，包括通过加密货币交易所的网站或携带服务的交易平台（"交易所"），或当您注册为客户（"客户"）时，当您访问我们在 Facebook、Twitter、LinkedIn 和 Medium 上的社交媒体账户（"社交账户"）时，我们向您收集信息的做法，以及我们使用您的个人数据的方式，以及您可使用的选项和权利。

如果您在美国注册或使用我们的服务，您的个人数据（或根据适用的数据保护法律定义的同等数据）的控制者将是SimplexCC (US), Inc.如果您在其他地方注册或使用我们的服务，您的个人数据控制者将是UAB Nuvei，您的个人数据不会与美国实体SimplexCC (US)共享。SimplexCC有限公司和UAB Nuvei在处理您的个人资料时，通常作为联合控制人，有时上述实体具有控制-处理关系。SimplexCC（美国）与SimplexCC有限公司和UAB Nuvei仅以控制方-处理方关系共享美国公民的数据（SimplexCC（美国）作为控制方，而SimplexCC有限公司和UAB Nuvei作为处理方）。此外，UAB Nuvei 是 Nuvei 集团（加拿大）的子公司。

平台、网站和社交账户可能包含外部网站的链接，例如我们的合作伙伴网站、推广我们服务的网站等。当您通过链接进入任何这些网站时，请注意这些网站和通过它们访问的服务都有各自独立的隐私政策，我们对这些政策或在这些网站上收集个人数据不承担任何责任或义务。在向这些网站提交个人数据或使用相关服务之前，请务必查看其隐私政策。

如果您使用我们的服务、网站、平台或社交账户，订阅我们的时事通讯，或就任何其他问题联系或致函我们，我们认为您已阅读并同意本隐私政策的条款以及其中规定的使用您的个人数据的目的、方法和程序。如果您不同意本隐私政策，则不得使用我们的服务或以其他方式与我们互动。本隐私政策可能会发生变化，因此请不时访问本网站并阅读此处提供的最新版隐私政策。我们向您保证，UAB Nuvei 不会出于营销或商业目的向第三方出售、出租或交易任何个人数据。

本隐私政策通过引用被纳入 nuvei.com/nuvei-accounts/terms-of-use（"TOU"）网站上的《使用条款》、《提供电子货币和支付服务的一般条款和条件》以及引用本隐私政策的任何其他协议或通知，并成为其中的一部分。

2. 我们向谁收集个人数据？

本隐私政策适用于公司对以下各类个人的个人数据的收集、使用和披露：

• 网站访问者：访问本公司网站的个人，他们可能自愿提供某些联系数据（如电子邮件地址），以接收本公司的通信或预先注册接收本公司的服务。为明确起见，网站不包括我们的客户拥有或运营的任何网站。
• 用户:我们处理其信息的个人：
  • 根据我们与客户签订的协议向客户提供服务；或
  • 通过电子货币账户或服务账户直接向我们的用户提供服务；这包括代表组织注册的用户；或
  • 实现监管目标，防止非法活动，遵守适用法律。
• 客户：自行注册或代表实体或组织注册使用公司服务的人，包括商户和交易所运营商。为免生疑问，客户不包括用户。
• 其他人员，包括订阅直销材料、申请我们提供的各种职位、担任我们合作伙伴的代表等。

3. 我们如何使用您的个人数据？

我们仅收集和处理为实现我们指定的个人数据处理目的所必需的个人数据。在处理您的个人数据时

• 我们遵守现行适用法律的要求，包括 GDPR；
• 我们以合法、公平和透明的方式处理您的个人数据；
• 我们收集您的个人数据是为了特定的、明确的和合法的目的，除非在法律允许的范围内，否则不会以与这些目的不符的方式处理这些数据；
• 我们采取一切合理措施，确保根据处理目的，毫不拖延地纠正、补充、暂停或销毁不准确或不完整的个人数据；
• 我们保存个人数据的形式是，可以确定您身份的时间不超过处理个人数据目的所需的时间；
• 除隐私政策或适用法律规定的情况外，我们不会向第三方提供或披露个人数据；
• 我们确保您的个人数据得到安全处理，确保采取技术和组织安全措施，并确保只有因工作职能而需要访问个人数据的员工才能访问这些数据。

4. 我们如何收集个人数据？

我们采用以下方式收集信息：

1. 通过您对服务的使用和/或与服务相关的交易。换句话说，当您使用本服务时，包括您浏览交易所时，我们会独立或通过第三方服务收集和记录与此类使用相关的信息，详情如下。
2. 来自我们的业务合作伙伴 - 交易所、我们的统包合作伙伴、加密货币钱包和经纪人。例如，当您返回交易所时，该交易所可能会向我们提供您的联系信息（如姓名、地址和出生日期），以及您以前访问其网站的使用信息（如用户余额、以前的登录和以前的交易）。
3. 通过公开来源。例如，我们通过您公开的 SN 账户信息、公开的信用卡黑名单和官方有限银行账户名单以及其他在线公开信息收集您的某些信息。
4. 来自第三方服务。例如，当我们使用第三方服务提供服务和防止欺诈时，我们可能会收集一些数据。
5. 您提供给我们的信息。例如，我们收集使用服务所需的个人数据，这些数据由您通过填写注册表、入职流程（如果您注册为客户）和/或直接联系我们的方式提供给我们。
6. 其他人（包括使用我们服务的公司）经您同意向我们提供您的个人数据时。例如，当这些公司指出您的联系人、将您称为授权人等时。

向我们提供个人资料的人对其个人资料的正确性、完整性和相关性负责，并对其同意向我们提交其个人资料负责。我们可能会要求您确认该人有权向我们提供个人数据（例如，通过填写服务订单或注册表）。如有必要（例如，某人向我们询问有关接收其个人资料的事宜），我们将说明此类个人资料的提供者。

5. 我们处理哪些个人数据？

我们出于以下目的并在以下条件下处理您的个人数据：

处理个人数据的目的

正在处理的个人数据

个人数据处理期限

Legal basis for the processing of Personal Data

Registration, use of account, user identification, provision of Service (individuals)

Name, surname, username, e-mail, password, phone number, , personal identity code, date of birth, country of birth, address, address for correspondence, nationality, citizenship, gender, passport/ID card copy and its details (e. g. type, number, issuance place and date, expiry date, MRZ code, signature), selfies, IP address, device geographical location, KYC questionnaire,  details of user’s bank accounts and payments, Service and account usage history, monetary operations, information on sources of income, tax data, Wallet ID, information about the Services ordered and used and changes therein, data on PEP’s, other information required by law.

Personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania up to 8 (eight) years as of the transaction/termination of the Company's relationship with the user. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority.

–

Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR)

Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR)

Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)

Registration, use of account, user identification, provision of Service (corporate)

Name, former name (if changed), trading name or doing business as, name and surname of representative of the customer (if any), names and surnames of all directors of the customer, including board members, supervisory council, names and surnames of ultimate beneficial owners of the customer (if any), names and surnames of persons with access right to the customer’s account at the Company, titles of general and limited partners (in case of partnerships), names, surnames, titles of main partners, citizenship, date of birth, declaration on connection with politically exposed persons of all above mentioned persons, gender of all natural persons, business registration address, business operational address, registration number, incorporation date, extract of registration and its date of issue, company’s status, proof of address for each UBO and customer’s representative (who acts under PoA), ID/Passport of UBO and representative persons and authorized persons to account, records of remote identification and verification of legal entity’s representative, records of remote identification and verification of legal entity’s persons who have access to its account, power of attorney (if applicable), representatives personal code (if applicable); e-mail; phone number and residence address.

Information obtained via KYC questionnaire: number of employees, main business activities, business activities countries, authorized capital, last year turnover, planned turnover for next year, purpose of intended business relationship, source of incoming funds, anticipated monthly turnover, anticipated monthly count of transactions, any other document/ information on ad hoc basis.

Personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania up to 8 (eight) years as of the transaction/termination of the Company's relationship with the user. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority.

Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR)

Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR)

Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)

Other payments activity, Buy/Sell Crypto

Payments in fiat information: amounts and currency, external IBANs, purpose of transactions.

Payments in crypto information: amounts and currency, wallet address.

name and Surname;

Selfies, ID or passport, billing address, phone number, email address, IP address, device geographical location, credit/debit cards info: first 6 and last 4 digits, BIN country, BIN bank.

From 3 to 8 years from the date of execution of the payment transaction.

Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR).

Legitimate interests of the data controller or a third party (risk assessment) (Article 6(1)(f) GDPR).

Branded Cards

First 4 and last 4 card digits, phone number for One Time Password, name and surname,  payment history: amounts, currencies, fees, merchant name and address, linked internal account number.

8 years as of the transaction/termination of the Company's relationship with the customer.

Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR).

Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR).

Chargeback

Name and surname, POID document, billing address, email, phone number, account number, IP address, device geographical location, wallet address, payment amount and currency, Zendesk tickets, device ID, chargeback request and other related information and proof.

The entire period of the dispute/claim and 5 years after the end of the out-of-court dispute /claim.

Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR).

Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR).

Execution of financial operations, accounting, debt management.

Name, surname, e-mail, phone number, position, place of work, address, relationship with the represented legal entity, account number, credit institution, payment information, debt information, data transferred by the company collecting the contributions and confirmations of payments.

According to the regulatory legal acts, as well as in accordance with the Index of General Document Storage Periods Approved by order No. V-100 of the Chief Archivist of the Republic of Lithuania of 9 March 2011.

When the data does not fall within the above-mentioned storage area – the period of validity of the contract/cooperation between the parties and 10 years after the end of the contract/relationship (last contact).

Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR)

Data processing is necessary for to fulfil a legal obligation imposed on the data controller (Article 6(1)(c) GDPR)

Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)

Evaluation and selection of candidates for the offered job.

Name, surname, e-mail, phone number, address, education and activity data, content of the CV, other information required for the selection/evaluation of the candidate or provided by the candidate.

The selection period and 3 months after the selection if the candidate's consent to the retention of data after the selection has been obtained.

When data are received not for a specific selection, they shall be stored for 3 months after the date of their receipt.

Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR)

Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)

Management of electronic information channels (Platform, Site, Social Accounts), conducting analysis of Platform to provide more relevant content, ensure functionality and security and improve quality of the Service.

IP address, data collected with the help of cookies and settings, browser used, date and time of login, mobile device model and manufacturer, mobile device operating system (iOS, Android), password, account, and Service usage information.

Data collected through the integration of Social Accounts.

Site, Platform data are stored as described in this Privacy Policy.

Site and Platform data that is not included in the cookie information is stored for a maximum of 1 year from the date of collection, unless the person revokes his/her consent (when the data are processed based on consent).

Information in Social Accounts is stored according to the conditions set by the owner of this network

Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR)

Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)

Sending news, conducting surveys, direct marketing, advertising.

Name, e-mail address, phone number, the data requested in the survey announcement/ questionnaire.

Data is processed for 1 year from the receipt of consent, unless you revoke your consent earlier.

Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR).

Settlement of disputes and claims.

Name, surname, workplace address, workplace position, contact with the represented legal entity, phone number, e-mail, the content of the claim or other similar document, information/documents related to the dispute/claim.

The entire period of the dispute/claim and 5 years after the end of the out-of-court dispute /claim resolution and 10 years after the end of judicial proceedings.

Data processing is necessary for to fulfil a legal obligation imposed on the data controller (Article 6(1)(c) GDPR)

Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)

In Social Accounts we can share information about ourselves, our content, events, news, surveys, as well as information about the employees we are looking for. Social accounts users are also subject to the privacy policies of the social networks owners. When you contact us on Social Accounts, depending on the privacy settings you choose, we may see certain user account information such as profile first name, surname, image, sex, e-mail address, location, etc. (the list is not exhaustive). If a user posts information by communicating with us on our Social Accounts (e. g. posts a comment in the comments section of our Social Account or posts a message on our Social Account profile), depending on the privacy settings chosen, the posted information may be made public (for example, visible on our Social Account to other users).

In some cases, we may send messages related to the ordering or provision of our Service through the contact data provided by you, for example, to inform you about the confirmation of the order for Services, the expiration date of the ordered Service, temporary or permanent changes to the Service, including, but not limited to, planned outages, new features offered, version updates, point releases, major releases, abuse warnings, and changes to our TOU, Privacy Policy and other documents and agreements. Such communications are necessary for the proper provision of our contractual obligations and Service and are not considered to be direct marketing communications.

When providing our Services, we may, in certain cases, apply automated data decision-making, for example to prevent fraud, to ensure compliance with AML/CTF policies, etc. Automated decision-making refers to the processing of Personal Data using, for example, a software code or algorithm that does not require human intervention. We regularly review the criteria and models used in automated decision-making to ensure their integrity, efficiency, and impartiality. You may always ask for a revision of such automated decisions as it is indicated in the section 11 of this Privacy Policy.

We may, in certain cases, process Personal Data longer than indicated in this Privacy Policy, e. g. when we are required to do so by law, when we are engaged in litigation, arbitration, pre-trial investigation, etc. Company  assures that in such cases your Personal Data will be deleted immediately as soon as it becomes unnecessary for such purposes.

6. Do we share your Personal Data?

Also, we might share your personal data with parent company (Nuvei group). However, we undertake to do so only according to this Privacy Policy. Such transfers may only take place if we will sign EU standard contractual clauses approved by the European Commission, have other legal basis for such transfer or anonymize your personal data.

Our business partners, suppliers, sub-contractors, or agents who perform services for it, or consultants such as auditors, lawyers, tax advisors, analytics and search engine providers that assist us in the improvement and optimization of the Platform, etc., as well as the Personal Data Processors we use, such as ancillary service providers, IT companies, advertising and marketing companies, accounting companies, etc. We require data processors to store, process and treat Personal Data as responsibly as we do and only in accordance with our instructions. We have such partners and data processors:

Marketing, Advertising Partners – TrustPilot (Denmark);

Payment partners – PAYBIS (UK), PAYBIS US (ZEROHASH), ELASTUM (LT, EE), H FINANCE (LT) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area)

Accounting, financial services – Hashavim, PWC Israel, Billbeez, Altshuler Shaham Benefits, Howden, Priority, Jonathan Lubik consultants \ Econpartners, IBI trustee, Financial immunities, Michpal, Made Finance, Liram, OvdimNet Ayalon, Kna'an, Hi Bob (USA), RMR Consultants, Sima Kedem Ltd, Yoram Zilberman insurance agency, Baker Tilly Baltics (LT), UAB Scandinavian Accounting and Consulting (LT), SIA Ernst & Young Baltic (LV), MK TAX, Cogency Global, Mazars (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area);

IT solutions, IT security maintenance and technical services – 7CI (Israel), Ingenie (UK) Kyte Consultants Ltd (Malta) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area).

Cloud and hosting providers - Amazon Web Services, Inc. (USA) Google, Inc. (USA) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area).

To publish your content to Social Accounts, we provide data to these social media platform operators:

LinkedIn Ireland Unlimited Company (Ireland), LinkedIn Corporation (Ireland), Facebook Ireland Ltd. (Ireland), Facebook, Inc. (USA), YouTube, Inc. (USA), Twitter, Inc. (USA), Twitter International Company (Ireland), A Medium Corporation (USA) (data is securely transmitted when the service provider signs EU standard contractual clauses approved by the European Commission for the transfer of data outside the European Economic Area).

State or local government institutions and authorities, law enforcement and pre-trial investigation institutions, courts and other dispute resolution institutions, other persons performing functions assigned by law, in accordance with the procedure provided for by legislation of the Republic of Lithuania. We provide these entities with mandatory information required by law or specified by the entities themselves.

Other third parties, such as payment institutions, etc. If necessary, to companies that intend to buy or would buy the Company's business or would conduct joint activities with us or would cooperate in another form. To affiliates with whom, we are under common corporate control. In case such affiliate is established outside the EEA we will conduct such Personal Data transfer only following conditions of this Privacy Policy (e. g. will sign EU Standard Contractual Clauses Approved by the European Commission for the transfer of data outside the EEA with such Affiliate).

We normally process Personal Data within the EEA, but in some cases your Personal Data may be transferred outside the EEA. The Company will always take steps to ensure any transfer of such information to entities based outside the EEA is carefully managed to protect your rights and interests by implementing Appropriate safeguards to protect Personal Data.

Your Personal Data will only be transferred outside the EEA under the following conditions:

• Data are transferred only to our reliable partners who ensure the provision of our services to you;
• EU Standard Contractual Clauses Approved by the European Commission, which ensure the security of transfers of your Personal Data, have been signed with such partners;
• The Commission of the European Union has decided on the eligibility of the country in which our partner is established, i.e., an adequate level of security is ensured;
• You have given your consent to the transfer of your Personal Data outside the EEA; or
• A special permit of the State Data Protection Inspectorate of the Republic of Lithuania was obtained to carry out such transfer.

Please note that for the purposes of identity verification and required regulatory screenings, Nuvei utilizes certain third-party identity verification and authentication services, provided by Onfido. Onfido’s collection and use of the information, which includes a copy of a government-issued ID and a photo selfie for biometric comparison, is described in Onfido’s privacy policy https://onfido.com/privacy/ .

For the purposes of complaints handling, Nuvei uses customer support platform - Zendesk Inc., to answer queries via chat, email or online ticket form. You might have to identify yourself by giving your name, surname, email address.  Zendesk Inc. collection and use of the information is described in Zendesk Inc. privacy policy https://www.zendesk.com/company/agreements-and-terms/privacy-notice/.

7. Minors

To use the Service, you must be over the age of eighteen (18). Company does not knowingly process Personal Data from children under the age of eighteen (18) and does not wish to do so. We reserve the right to request proof of age at any stage so that we can verify that minors under the age of eighteen (18) are not using the Service. If it comes to our knowledge that a person under the age of eighteen (18) is using the Service, we will prohibit and block such User from accessing the Service and will take appropriate measures to prevent that User from making use of our Service.

8. Tracking technologies

When you access or use the Service, Site or Platform, we may use (and authorize third parties to use) industry-wide technologies such as cookies or similar technologies, including web beacons, pixel tags, scripts, tags and other technologies that store certain information on your computer (“Local Storage”) and which will allow us to enable automatic activation of certain features, and make your Service experience much more convenient and effortless (collectively “Tracking Technologies”). These Tracking Technologies allow us and third parties to automatically collect information about you (such as your IP address, device unique identifiers and your online behavior), to enhance your navigation on our Site, improve our Site’s performance and customize your experience on our Site, as well as for advertising and fraud prevention purposes. We also use this information to collect statistics about the usage of our Site, perform analytics, deliver content which is tailored to your interests.

To learn more please visit our Cookie Policy, available here:

nuvei.com/nuvei-accounts/cookies-policy.

Direct marketing

With your consent (only), we may use your Personal Data for direct marketing purposes to provide you with newsletters, offers and information about our Service, as well as to inquire about the quality of our performance.

The above content can be sent by e-mail, messages to the phone number specified by you, as well as messages in your account in the Platform or Site. Your contacts may be transferred to our partners who provide us with news sending or quality assessment services.

After sending such content, we can collect information about the people who received it, for example, which message people opened, what links they clicked on, etc. Such information is collected to offer you relevant and more tailored news and content.

Even if you have given your consent to the processing of Personal Data for direct marketing purposes, you can easily withdraw this consent for all or part of the Personal Data processing activities at any time. To do this, you can:

• notify us of your withdrawal in the manner specified in the provided message (e. g. by clicking on the “unsubscribe” link in the newsletter, etc.); or
• send us a notification in a manner specified in this Privacy Policy. If you so request withdrawal of consent, we may ask you to verify your identity.

If you withdraw your consent, we will try to stop sending such content to you immediately.

Withdrawal of consent does not automatically oblige us to destroy your Personal Data or provide you with information about the Personal Data processed by us, therefore, for these actions you should submit a separate request.

9. Your rights

As a data subject, you have the following rights regarding your Personal Data:

• To know (to be informed) about the processing of your Personal Data (right to know);
• To access your Personal Data and the way they are processed (right of access);
• To request the correction or, depending on the purposes of the processing of Personal Data, supplementation of incomplete Personal Data (right to rectification);
• To request the erasure of your Personal Data or the suspension of your Personal Data processing activities (excluding storage) (right to erase and right to “be forgotten”);
• To request us to restrict the processing of Personal Data for one of the legitimate reasons (right to restrict);
• The right to transfer data (right to transfer). This right may be exercised only if there are grounds for its exercise and appropriate technical measures to ensure that the transfer of the requested Personal Data does not pose a risk of security breach to the data of other Data Subjects;
• The right to object the processing of your Personal Data when we process Personal Data based on a legitimate interest of the Company or a third party, including profiling. If you object, we will only be able to further process your Personal Data for compelling legitimate reasons that take precedence over your interests, rights, and freedoms, or to make, enforce or defend legal claims;
• Revoke your consent to the processing of your Personal Data when this data is processed or intended to be processed for direct marketing purposes, including profiling as far as such direct marketing is concerned (based on the Personal Data you provide, profiling may be carried out for direct marketing purposes to offer you individually tailored solutions and proposals. You can revoke your consent to the processing of Personal Data by automated processing, including profiling, or object to it at any time).

We may refuse to exercise your rights listed above, except for refusal to process your Personal Data for direct marketing purposes, competitions or in other cases when Personal Data is processed with your consent, when your request is allowed to us not to comply with the provision of the GDPR, or when, in cases provided for by law, it is necessary to ensure the prevention, investigation and detection of crimes, violations of official or professional ethics, as well as the protection of the rights and freedoms of the Data Subject, us and other persons, or when the Company has a legitimate interest.

You can exercise part of your rights as a Data Subject by changing the user account settings in the Platform or Site and the information contained therein. You may submit any request or instruction related to the processing of Personal Data to us in writing via Company’s internal system for handling Data Subject’s request. Please go to the UAB Nuvei Privacy Center and choose Data subject’s request options here: accounts.nuvei.com/privacy-policy.

When submitting such a request, we may ask you to fill in the necessary forms, as well as provide an identification document or other information that will help us to verify your identity, to better understand the content of your request. You may also send Data Subject’s request together with authorized personal document (ID or passport) copy to our office - Lvivo g. 37, Vilnius, LT-09306, Lithuania,  however, we encourage you to submit you requests via our internal system since that channel is dedicated specifically to handle Data Subject’s requests.

Upon receipt of your request or instruction regarding the processing of Personal Data, no later than within 1 month from the date of the request, we will provide a response and perform the actions specified in the request or inform you why we refuse to perform them. If necessary, the specified period may be extended by a further 2 months, considering the complexity and number of requests. In such a case, within 1 month from the date of receipt of the request, we will inform you of such extension.

If Personal Data is deleted upon your request, we will only store copies of information that are necessary to protect our legitimate interests and those of others, to comply with the obligations of law, to resolve disputes, to recognize interference or to comply with any agreements you have entered with us. Please note that these rights are not absolute, and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations (such as AML/CTF regulations).

10. How do we secure your Personal Data?

We take great care in implementing and maintaining the security of the Service and safeguarding any Personal Data we process. Personal Data, trusted to us, is hosted on Amazon Web Services and Google Cloud Services, which provides advanced security features. Company employs industry standard procedures and policies to ensure the safety of the Personal Data processed and to prevent unauthorized use of any such information. In addition, to safeguard the privacy expectation of the data subjects, Nuvei is Payment Card Industry Data Security Standards (“PCI DSS”) certified. Please note that while we take reasonable measures to safeguard your Personal Data, we cannot fully guarantee its absolute security.

11. Changes to this Privacy Policy

Company reserves the right to change this Privacy Policy at any time, so please re-visit this page frequently. We will provide notice of substantial changes to this Privacy Policy on the Service and/or we will send you an email regarding such changes to the e-mail address that you volunteered. Such substantial changes will take effect seven (7) days after such notice was provided on any of the above-mentioned methods. Otherwise, all other changes to this Privacy Policy are effective as of the stated “Last Revised” date, and your continued use of the Service after the Last Revised date will constitute acceptance of, and agreement to be bound by, those changes.

12. Our contacts:

If you have any questions (or comments) concerning this Privacy Policy, you are welcome to contact us through the following Accounts Privacy Center, available here:

https://nuvei.com/accounts-privacy-center/.

Or

Data Protection Officer:  dpo@nuvei.com.

We will try to reply within a reasonable timeframe. Please feel free to reach out to us at any time. If you are unsatisfied with our response or decision, you can reach out to the applicable data protection authority:

The State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija in Lithuanian, website available at https://vdai.lrv.lt/).

‍