Privacy policy
Facetrom Ltd. (the ”Company”, “We” or “Us”) provides financial services to customers and partners (the “Clients” or “Data Controllers”) as a Business-to-Business (“B2B” or “Data Processor”) entity. We recognize the importance of maintaining the confidentiality, integrity, and security of Personal Information (“PI”) and Sensitive Personal Data or Information (“SPDI”) of natural persons (“Data Subjects” or “Users”), whose data is being received from the Data Controllers. We are committed to protecting the privacy and confidentiality of PI and SPDI we store and process.
This Privacy Policy outlines how we collect, process and protect PI and SPDI in our capacity.
-
Personal Information
We DO NOT collect, store nor process PI.
-
Data collection and processing scope as a B2B Data Processor
We DO NOT collect SPDI directly from Users.
We store and process SPDI on behalf of our Clients only, in accordance with their instructions or our privacy procedures in case our Clients provide no specific instructions.
The types of SPDI we may store and process include:
- A facial image of an anonymous User.
- Financial transaction-related data: loan id, loan created date, loan amount, loan
currency, loan interest rate, loan number of installments, and other information related to financial transactions.
- User-related data: User gender, User age, User account id, and other non-personal- information related to the User.
We store and process SPDI for the following purposes:
- Provide B2B financial services, or other lawful purposes defined in contractual
agreements with our Clients.
- Research, develop, train, validate, improve, optimize, tune and certify our B2B services.
- Communicate with our Clients and potential Clients regarding inquiries, quality checks of their SPDI, proof of concept, updates, and administrative matters.
-
Data accuracy and User rights
We wish to maintain our SPDI as accurately as possible.
Since we cannot identify any of the Users our services store and process, we act only on behalf of the Data Controllers regarding SPI accuracy and Users’ rights.
If you are a User and wish to exercise your rights, please contact the relevant Data Controller. We will assist our Data Controllers in responding to your request in accordance with contractual agreements and applicable laws and regulations.
If you are a Data Controller and wish to make changes in the SPDI provided earlier, please contact our DPPO in the email address listed below.
-
Data retention
We retain SPDI in accordance with our Data Controllers’ instructions or applicable laws and regulations and for the duration determined by our contractual agreements. We do not retain SPDI longer than necessary by our Clients and/or by our business goals and requirements.
-
Data sharing and disclosure
We do not share, transfer, sell, rent, or lease SPDI to any third party, including not with a third-party service provider, unless explicit written consent is granted by the Data Controller or as required by law. If data is shared with any third party, we will set agreements in place, requiring such a third party to ensure data protection and confidentiality of SPDI, as instructed by the Data Controller or by us.
-
Data security
We implement industry-grade measures to protect SPDI against unauthorized access, loss, alteration, or destruction. We strive to maintain the confidentiality, integrity, and availability of the SPDI we store and process. We regularly review and enhance our security practices to ensure SPDI protection.
-
Risk management
We established a privacy risk management methodology, which evaluates the risks and manages them regularly, to ensure they are kept at an acceptable level at any time. In case we encounter a high-level risk or detection of a privacy incident, we will establish and manage a mitigation plan and provide a report to the Data Controllers, as applicable.
-
Staff competency
We train our employees who handle SPDI and continuously keep them aware of our Privacy Policy and the relevant privacy procedures. We communicate our Privacy Policy to all stakeholders in the Company.
-
International data transfers
As a global B2B service provider, we may transfer and/or process SPDI outside the jurisdiction of the Data Controller, given that local privacy laws and regulations and contractual agreements permit doing so. In such cases, we will take appropriate measures to ensure that such international transfers comply with applicable data privacy laws and regulations, including the use of standard contractual clauses or relying on other lawful transfer mechanisms.
-
Changes in our Privacy Policy
We monitor and review our data privacy compliance, our Privacy Policy and our privacy procedures on a yearly basis, to ensure they are updated based on changing privacy regulations and new/modified contractual agreements.
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We encourage you to review this Privacy Policy periodically.
-
Contact us
If you have any questions, concerns, or inquiries regarding this Privacy Policy, please contact Ronen Zagron, our data protection and privacy officer (who also serves as a grievance officer), at DPPO@facetrom.com.
By engaging with our services or providing SPDI to us, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, processing, and disclosure of SPDI as described herein.
Facetrom Ltd.
Appendix A - glossary of terms
-
Data Controller - any organization that determines the means and purposes of processing the personal information. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.3 and GDPR Art. 4 (7)]
-
Data Processor - any organization that processes PI on behalf of and in accordance with the instructions of a Data Controller. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.5 and GDPR Art. 4 (8)]
-
Data Subject - any natural person to whom the personal information relates. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.6 and GDPR Art. 4 (1)]
-
Non-personal Information - any information that is not personal information (as per personal information defined below) or any information that is freely available or accessible in public domain [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.8]
-
Personal Information (“PI”) - any information that (a) can be used to identify the Individual to whom such information relates to, or (b) is or might be directly or indirectly linked to an Individual. Examples: telephone number, date of birth, email ID, address, metadata such as telephone call logs or weblogs, identification numbers such as Aadhaar, PAN and Social Security Number. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.14 and GDPR Art. 4 (1)]
-
Sensitive Personal Data and Information (“SPDI”) or Sensitive Personal Information (“SPI”) - a special category of personal information, whose nature is either sensitive, such as those that relate to the individual’s most intimate sphere, or that might have a significant impact on the individual. Examples: health records, biometrics, passwords, financial information, sexual orientation. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.22 and GDPR Art. 4 (13) (14) (15)]