Facetrom Ltd. (the ”Company”, “We” or “Us”) provides financial services to customers and partners (the “Clients” or “Data Controllers”) as a Business-to-Business (“B2B” or “Data Processor”) entity. We recognize the importance of maintaining the confidentiality, integrity, and security of Personal Information (“PI”) and Sensitive Personal Data or Information (“SPDI”) of natural persons (“Data Subjects” or “Users”), whose data is being received from the Data Controllers. We are committed to protecting the privacy and confidentiality of PI and SPDI we store and process.
We DO NOT collect, store nor process PI.
Data collection and processing scope as a B2B Data Processor
We DO NOT collect SPDI directly from Users.
We store and process SPDI on behalf of our Clients only, in accordance with their instructions or our privacy procedures in case our Clients provide no specific instructions.
The types of SPDI we may store and process include:
- A facial image of an anonymous User.
- Financial transaction-related data: loan id, loan created date, loan amount, loan
currency, loan interest rate, loan number of installments, and other information related to financial transactions.
- User-related data: User gender, User age, User account id, and other non-personal- information related to the User.
We store and process SPDI for the following purposes:
- Provide B2B financial services, or other lawful purposes defined in contractual
agreements with our Clients.
- Research, develop, train, validate, improve, optimize, tune and certify our B2B services.
- Communicate with our Clients and potential Clients regarding inquiries, quality checks of their SPDI, proof of concept, updates, and administrative matters.
Data accuracy and User rights
We wish to maintain our SPDI as accurately as possible.
Since we cannot identify any of the Users our services store and process, we act only on behalf of the Data Controllers regarding SPI accuracy and Users’ rights.
If you are a User and wish to exercise your rights, please contact the relevant Data Controller. We will assist our Data Controllers in responding to your request in accordance with contractual agreements and applicable laws and regulations.
If you are a Data Controller and wish to make changes in the SPDI provided earlier, please contact our DPPO in the email address listed below.
We retain SPDI in accordance with our Data Controllers’ instructions or applicable laws and regulations and for the duration determined by our contractual agreements. We do not retain SPDI longer than necessary by our Clients and/or by our business goals and requirements.
Data sharing and disclosure
We do not share, transfer, sell, rent, or lease SPDI to any third party, including not with a third-party service provider, unless explicit written consent is granted by the Data Controller or as required by law. If data is shared with any third party, we will set agreements in place, requiring such a third party to ensure data protection and confidentiality of SPDI, as instructed by the Data Controller or by us.
We implement industry-grade measures to protect SPDI against unauthorized access, loss, alteration, or destruction. We strive to maintain the confidentiality, integrity, and availability of the SPDI we store and process. We regularly review and enhance our security practices to ensure SPDI protection.
We established a privacy risk management methodology, which evaluates the risks and manages them regularly, to ensure they are kept at an acceptable level at any time. In case we encounter a high-level risk or detection of a privacy incident, we will establish and manage a mitigation plan and provide a report to the Data Controllers, as applicable.
International data transfers
As a global B2B service provider, we may transfer and/or process SPDI outside the jurisdiction of the Data Controller, given that local privacy laws and regulations and contractual agreements permit doing so. In such cases, we will take appropriate measures to ensure that such international transfers comply with applicable data privacy laws and regulations, including the use of standard contractual clauses or relying on other lawful transfer mechanisms.
Appendix A - glossary of terms
Data Controller - any organization that determines the means and purposes of processing the personal information. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.3 and GDPR Art. 4 (7)]
Data Processor - any organization that processes PI on behalf of and in accordance with the instructions of a Data Controller. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.5 and GDPR Art. 4 (8)]
Data Subject - any natural person to whom the personal information relates. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.6 and GDPR Art. 4 (1)]
Non-personal Information - any information that is not personal information (as per personal information defined below) or any information that is freely available or accessible in public domain [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.8]
Personal Information (“PI”) - any information that (a) can be used to identify the Individual to whom such information relates to, or (b) is or might be directly or indirectly linked to an Individual. Examples: telephone number, date of birth, email ID, address, metadata such as telephone call logs or weblogs, identification numbers such as Aadhaar, PAN and Social Security Number. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.14 and GDPR Art. 4 (1)]
Sensitive Personal Data and Information (“SPDI”) or Sensitive Personal Information (“SPI”) - a special category of personal information, whose nature is either sensitive, such as those that relate to the individual’s most intimate sphere, or that might have a significant impact on the individual. Examples: health records, biometrics, passwords, financial information, sexual orientation. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.22 and GDPR Art. 4 (13) (14) (15)]