1. Who is responsible for your personal data

This Privacy Policy explains how Pickthebank ("Pickthebank", "we" or "us") collects, uses, shares and otherwise processes your Personal Data in connection with your relationship with us as determined by our Terms of Use and in accordance with applicable data privacy laws and the General Data Protection Regulation 2016/679 (“GDPR”) which is applicable as of 25 May 2018.

We control the ways your Personal Data are collected and the purposes for which we use your Personal Data acting as “data controller” or “data processor” for the purposes of the GDPR.

2. Personal data we collect

When using the term “Personal Data” in our Privacy Policy, we mean the information that relates to you and allows us to identify you, either directly or in combination with other information that we may hold. Your personal data may include for example your name, your contact details or information on how you interact with us.

We will process your Personal Data if and to the extent that the applicable law provides a lawful basis for us to do so. We will therefore process your Personal Data only:

• if you have consented to us doing so
• if we need it to perform the contract we have entered into with you, or
• if we need it to comply with a legal obligation, or
• if we (or a third party) have a legitimate interest which is not overridden by your interests or fundamental rights and freedoms. Such legitimate interests will be the provision of services by us, administrative or operational processes and direct marketing.

3. Categories of the data that we collect

• Name and surname
• Title
• Postal and/or e-mail address
• Phone numbers
• Date of birth
• Salutation (Mr / Mrs / Ms)
• Job title
• Employer

Shall we act as an agent of an Offering Provider, who commissioned us to collect certain AML/CFT-related information, we may offer you to provide such information, strictly for the purposes of identity verification and risk assessment by the Offering Provider and therefore collect additionally such data as passport or any identity card data, registered address, banking details, facial image.

4. Sensitive personal data

In the course of providing Services to you, we may also collect certain sensitive information as defined by the GDPR, for example information for a background check, provided that this is allowed under applicable law. We only collect this information in the case you have given your explicit consent, it is necessary according to legal obligations, or you have deliberately made it public.

5. How and why we use your Personal Data

We use your Personal Data for the following purposes:

• To provide our Services to you
• To communicate with you and manage our relationship with you
• To personalize and improve your user experience
• To improve our Services, fulfil our administrative purposes and protect our business interests
• To comply with our legal obligations or in order to help the Offering Provider with its legal obligations
• We will only use your Personal Data for the purposes for which we collected it and which we informed you about, unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

7. Security of your Personal Data

We are committed to taking appropriate technical and organisational measures to protect your Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

All your Personal Data in electronic format will be stored within the European Union. Any Personal Data in physical form will be kept in a secure location at our premises in Cyprus.

8. Retention period

We will only retain your Personal Data for as long as we need it in order to fulfill the purposes for which it was collected and processed, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

In some circumstances we may anonymise your Personal Data so that it can no longer be associated with you, in which case it is no longer considered as Personal Data. Upon expiry of the applicable retention period we will securely destroy your Personal Data in accordance with applicable laws and regulations.

9. Sharing your Personal Data

Please note that we may use or disclose Personal Data if we are required by law to do so or if we reasonably believe that use or disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or other legal process.

The data can be technically available to the entities whose services we use for processing (“Sub-processors”), therefore we need to share the data based on our legitimate interest.

The list of our Sub-processors with description of our legitimate interests in each case is available here.

10. Cookies

Please review our Cookie Policy, which is available here.

11. Fees

You will in general not have to pay a fee to exercise any of your individual rights mentioned in this Privacy Policy. However, we may charge a reasonable fee if your request to exercise your individual rights is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

12. Updates to our Privacy Policy

We reserve the right to update this privacy Policy at any time, and we will make an updated copy of such privacy Policy publicly available.

13. Contact information

If you have any concerns or require any further information, please do not hesitate to contact us at privacy@pickthebank.eu or send your request to the following address: 225, Arch. Makariou III Avenue Oriana Court, 3rd Floor, Office 4 3105 Limassol, Cyprus