top of page

Privacy policy

Facetrom Ltd. (the ”Company”, “We” or “Us”) provides financial services to customers and partners (the “Clients” or “Data Controllers”) as a Business-to-Business (“B2B” or “Data Processor”) entity. We recognize the importance of maintaining the confidentiality, integrity, and security of Personal Information (“PI”) and Sensitive Personal Data or Information (“SPDI”) of natural persons (“Data Subjects” or “Users”), whose data is being received from the Data Controllers. We are committed to protecting the privacy and confidentiality of PI and SPDI we store and process.

This Privacy Policy outlines how we collect, process and protect PI and SPDI in our capacity.

  • Personal Information

       We DO NOT collect, store nor process PI.

  • Data collection and processing scope as a B2B Data Processor

       We DO NOT collect SPDI directly from Users.

       We store and process SPDI on behalf of our Clients only, in accordance with their instructions or             our privacy procedures in case our Clients provide no specific instructions.

       The types of SPDI we may store and process include:

                   - A facial image of an anonymous User.

                   - Financial transaction-related data: loan id, loan created date, loan amount, loan         

                      currency, loan interest rate, loan number of installments, and other information related                             to financial transactions.

                   - User-related data: User gender, User age, User account id, and other non-personal-                                   information related to the User.

       We store and process SPDI for the following purposes:

                   - Provide B2B financial services, or other lawful purposes defined in contractual     

                      agreements with our Clients.

                   - Research, develop, train, validate, improve, optimize, tune and certify our B2B services.

                   - Communicate with our Clients and potential Clients regarding inquiries, quality checks of                        their SPDI, proof of concept, updates, and administrative matters.

  • Data accuracy and User rights

       We wish to maintain our SPDI as accurately as possible.

       Since we cannot identify any of the Users our services store and process, we act only on behalf of         the Data Controllers regarding SPI accuracy and Users’ rights.

       If you are a User and wish to exercise your rights, please contact the relevant Data Controller. We           will assist our Data Controllers in responding to your request in accordance with contractual                   agreements and applicable laws and regulations.

       If you are a Data Controller and wish to make changes in the SPDI provided earlier, please                       contact our DPPO in the email address listed below.

  • Data retention

       We retain SPDI in accordance with our Data Controllers’ instructions or applicable laws and                     regulations and for the duration determined by our contractual agreements. We do not retain               SPDI longer than necessary by our Clients and/or by our business goals and requirements.

  • Data sharing and disclosure

       We do not share, transfer, sell, rent, or lease SPDI to any third party, including not with a third-party         service provider, unless explicit written consent is granted by the Data Controller or as required by         law. If data is shared with any third party, we will set agreements in place, requiring such a third             party to ensure data protection and confidentiality of SPDI, as instructed by the Data Controller or         by us.

  • Data security

       We implement industry-grade measures to protect SPDI against unauthorized access, loss,                     alteration, or destruction. We strive to maintain the confidentiality, integrity, and availability of the           SPDI we store and process. We regularly review and enhance our security practices to ensure SPDI         protection.

  • Risk management

       We established a privacy risk management methodology, which evaluates the risks and                         manages them regularly, to ensure they are kept at an acceptable level at any time. In case we           encounter a high-level risk or detection of a privacy incident, we will establish and manage a                 mitigation plan and provide a report to the Data Controllers, as applicable.

  • Staff competency

      We train our employees who handle SPDI and continuously keep them aware of our Privacy Policy          and the relevant privacy procedures. We communicate our Privacy Policy to all stakeholders in the        Company.

  • International data transfers

       As a global B2B service provider, we may transfer and/or process SPDI outside the jurisdiction of             the Data Controller, given that local privacy laws and regulations and contractual agreements             permit doing so. In such cases, we will take appropriate measures to ensure that such                             international transfers comply with applicable data privacy laws and regulations, including the             use of standard contractual clauses or relying on other lawful transfer mechanisms.

  • Changes in our Privacy Policy

       We monitor and review our data privacy compliance, our Privacy Policy and our privacy                           procedures on a yearly basis, to ensure they are updated based on changing privacy regulations         and new/modified contractual agreements.

       We may update this Privacy Policy from time to time to reflect changes in our practices or legal             obligations. We encourage you to review this Privacy Policy periodically.

  • Contact us

       If you have any questions, concerns, or inquiries regarding this Privacy Policy, please contact                   Ronen Zagron, our data protection and privacy officer (who also serves as a grievance officer), at         DPPO@facetrom.com.

 

By engaging with our services or providing SPDI to us, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, processing, and disclosure of SPDI as described herein.

 

Facetrom Ltd.


 

 

Appendix A - glossary of terms

  • Data Controller - any organization that determines the means and purposes of processing the personal information. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.3 and GDPR Art. 4 (7)]

  • Data Processor - any organization that processes PI on behalf of and in accordance with the instructions of a Data Controller.  [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.5 and GDPR Art. 4 (8)]

  • Data Subject - any natural person to whom the personal information relates. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.6 and GDPR Art. 4 (1)]

  • Non-personal Information - any information that is not personal information (as per personal information defined below) or any information that is freely available or accessible in public domain [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.8]

  • Personal Information (“PI”) - any information that (a) can be used to identify the Individual to whom such information relates to, or (b) is or might be directly or indirectly linked to an Individual. Examples: telephone number, date of birth, email ID, address, metadata such as telephone call logs or weblogs, identification numbers such as Aadhaar, PAN and Social Security Number. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.14 and GDPR Art. 4 (1)]

  • Sensitive Personal Data and Information (“SPDI”) or Sensitive Personal Information (“SPI”) - a special category of personal information, whose nature is either sensitive, such as those that relate to the individual’s most intimate sphere, or that might have a significant impact on the individual. Examples: health records, biometrics, passwords, financial information, sexual orientation. [Follows Bureau of Indian Standards, IS 17428 (part 1), Section 3.22 and GDPR Art. 4 (13) (14) (15)]

bottom of page