Version 1.0 – June 2023
1. Purpose and scope
SF1, UAB ("Lender") provides financial services for merchants (provision of a loan), and Soft loans, UAB is acting as a partner of Lender. Soft loans, UAB services are limited to assessing the merchant's risk worthiness and transmitting such information to the Lender so that Lender could contact merchant about obtaining a loan and entering into a contract.
We would like to clarify that the Soft loans collaborates with these trusted partners:
- MB Tyli siena (legal entity registration number 306316912, address of the registered office Valonų str. 21B, LT-11330, website: https://paskolareklamai.lt/).
Please be informed that through these partnerships, your personal data may be processed as described in this Policy.
In any case, All personal data collected by us is processed in accordance with the EU General Data Protection Regulation No. 2016/679 (GDPR), Law on the Legal Protection of Personal Data of the Republic of Lithuania and other applicable legal acts.
In this Policy, we provide you with an explanation on what kind of personal data we collect when providing our services (Services). When writing ‘you’, we mean you as merchant clients, (employee or other parties, such as beneficial owners, authorized representatives, business partners’ representatives, guarantor, other associated parties or a person contacting us by email or using other communication means.
2. Principles relating to processing of personal data
We are responsible for ensuring security of your personal data made available to us, in particular to prevent unauthorized access to your data. We are also responsible for ensuring all users have the opportunity to benefit their rights regarding their own personal data.
When processing personal data, we follow the principles of:
- legality, fairness and transparency;
- purpose limitation;
- data reduction;
- limitation of the length of the storage;
- integrity and confidentiality.
3. What information we collect, for what purposes and on what legal basis
3.1 Categories of personal data being processed
The personal data we collect can be grouped into the following categories:
Type of information
1. Basic personal data
2. Verification data
Name, surname, date of birth of personal identity code, details of ID card (e.g., type, number, place and date of issuance, expiry date, MRZ code, signature).
3. Data related to purchase
Order history and details (unique identifier of the items ordered, order ID, quantity, prices, discounts, taxes and duties, unique value of the cart and checkout, date and time of order or its cancelation, URL for the page where you landed when you entered the merchant’s shop, phone number for receiving SMS notifications, date and time when an order was processed, website where you clicked a link to the merchant’s shop, refunds applied to the order, mailing address (no street or house number) to where the order will be shipped, shipping method used ), billing information (amount, currency of the transaction, ID of the invoice, additional information about transaction, the payment and authentication method, billing address (country, city), application fee (if any) for the charge, information on fraud assessments for the charge, payment status, ID of the review (if any), ID of the transfer to the destination account, ID of connected account, a string that identifies transaction as part of a group, order location, payment gateway), shipping details (address (country, city), method), information how you were authenticated, information of your activities on social networks of the merchant (for example Facebook) only to the extent necessary to evaluate the risks of providing loans to merchants).
4. Information related to legal requirements
Data resulting from enquiries made by the authorities, data that enables us to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and whether you are a politically exposed person and other data that is required to be processed by us in order to comply with the legal obligation to “know your client” (collected data will differ depending on the client’s risk score).
5. Details of finances, own assets, financial liabilities
Current income and its sources, numbers, dates and types of proof of income and loan agreements; amount of asset liabilities; financial liabilities, credit score, amounts overdue, credit limit; credit payment history, financial statements.
6. Details of your activities in our website
History of the actions performed in our website, technical information, including the internet protocol (IP) address used to connect your computer to the internet, browser type and version, time zone setting, operating system and platform, type of device you use.
7. Contact details
Phone number, e-mail address.
8. Content of correspondence
Letters, emails and other forms of communication and their content, metadata information.
3.2 Purposes and legal basis for personal data processing
Categories of personal data
1. To evaluate merchants application for providing financing from Lender (including creditworthiness and financial risk assessment)
2. To evaluate the risks of guarantor
3. To comply with legal obligations (e.g. implementation of the obligations under the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania, to comply with the legal obligation to “Know Your Customer” and other fraud and crime prevention purposes)
4. To conclude and perform a contract with merchant (provision of a loan)
5. To conclude and perform a contract with partners
6. Debt management and recovery
7. To prevent, limit and investigate any misuse or unlawful use or disturbance of the Services or to establish, exercising and defend legal claims
8. To improve, develop and maintain applications, technical systems and IT infrastructure or our legitimate business interests, such as enabling us to improve and deliver a better and more personalized Service
9. To provide an answer when you contact us via our website or other communication means
4. How we collect your personal data
We collect information you provide directly to us or merchant when you:
- fill out forms to get a loan offer;
- use our Services;
- contact us;
- use merchant’s services
We may also receive your personal data from third parties. In particular:
- we may receive merchant’s “Know Your Customer” data, including your personal data from financial institutions;
- we may receive personal data from merchants’ accounts at “Shopify”, “Woo commerce”, “Stripe”, “Google analytics”, “Facebook”, etc.
- we may receive personal data from third parties such as public or private registers and databases. This includes information to help us comply with legal obligations;
- we may receive personal data from a third party which is connected to you or is dealing with us, for example, business partners, sub–contractors, service providers, merchants and etc.;
- we may receive personal data from banks or other financial institutions in case the personal data is received while executing payment operations;
- we may receive personal data from other entities which we collaborate with.
5. Direct marketing
We may use your personal data for the purpose of direct marketing, only if you give us your prior consent regarding such use of the data.
We provide a clear, free-of-charge and easily enforceable possibility not to give your consent or, at any time, to withdraw your consent to receive our marketing messages. We shall state in each notification sent by e-mail that you are entitled to object to the processing of the personal data, and to refuse receiving messages from us. You shall be able to refuse receiving our marketing messages by clicking on the respective link in each marketing email received from us.
6. How we share your personal data
The following is a list of key recipients, to whom your personal data might be disclosed to:
- electronic money institution;
- public authorities, institutions, organizations, courts and other third parties, but only upon request and only when required by applicable laws, or in cases and under procedures provided for by applicable laws;
- third parties providing services to the Company including providers of legal, financial, auditing, tax, business management, personnel administration, accounting, advertising (including online advertising), direct marketing, communications, data centers, hosting, cloud and/or other services. In each case, we provide such third parties with only as much data as necessary to provide their services. Service providers engaged by us may process your personal data only in accordance with our instructions and may not use them for other purposes;
- third parties for the purpose of performance of the contract concluded with you;
- third parties, when we intend to enter into a business sale transaction and/or to perform legal and/or financial due diligence of us prior to such transaction;
- other persons with your consent.
7. International transfer of personal data
In case your personal data is transferred outside the European Economic Area (EEA), we will take necessary steps to ensure that your data is treated securely and in accordance with this Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable to the personal data. This can be done in a number of different ways, for example:
- the country to which we send the personal data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;
- the recipient has signed or contains in its terms of service (service agreement) standard contractual clauses adopted by the European Commission;
- special permission has been obtained from a supervisory authority.
We may transfer personal data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR or on the basis of derogations.
8. How we protect your personal data
Please note that, although no system of technology is completely secure, we have to implement appropriate security measures in order to minimize the risks of unauthorized access to or improper use of your personal information.
We and our third-party service providers that may be engaged in the processing of personal data on our behalf (for the purposes indicated above) are contractually obligated to respect the confidentiality of the personal data.
A variety of logical and physical security measures are used to keep your personal data safe and prevent unauthorized access, usage, or disclosure of it (the list indicated below is not exhaustive): we use antivirus software, access control policies, we review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems, we use data encryption, etc.
9. How long we keep your personal data
We will keep your personal data for as long as it is needed for the purposes for which your data was collected and processed, including for the purposes to comply with any legal, regulatory, tax, accounting or reporting obligations. This means that we store your data for as long as it is necessary for provision of the Services and as required by the retention requirements in laws and regulations. If the legislation of the Republic of Lithuania does not provide any applicable data retention period, it shall be determined by us, taking into account the legitimate purpose of the data retention, the legal basis and the principles of lawful processing of personal data.
- as long as your consent remains in force, if there are no other legal requirements which shall be fulfilled with regard to the personal data processing;
- in case of the conclusion and execution of contracts – until the contract concluded between you and us remains in force and up to 10 years after the relationship between you and us has ended;
- the personal data collected for the implementation of the obligations under the Law on the Prevention of Money Laundering and Terrorist Financing shall be stored up to 8 (eight) years as provided in the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority.
In the cases when the terms of data keeping are indicated in the legislative regulations, the legislative regulations are applied.
We may retain your personal data for a longer period when:
- it is necessary in order for us to defend ourselves against existing or threatened claims, or to exercise our rights, or for the proper resolution of dispute, complaint or claim;
- there is a reasonable suspicion of illegal activity;
- it is required by applicable laws;
Upon expiration of the retention period, we will delete and/or reliably and irrevocably depersonalize your data as soon as possible, within a reasonable time required to perform such action.
10. Your rights
- The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data.
- The right to access. You have the right to request from us the copies of your personal data. Where your requests are excessive, in particular if they are being sent with a repetitive character, we may refuse to act on the request, or charge a reasonable fee taking into account the administrative costs for providing the information. The assessment of the excessiveness of the request will be made by us.
- The right to rectification. You have the right to request us to correct or update your personal data at any time, in particular if your personal data is incomplete or incorrect.
- The right to data portability. The personal data provided by you is portable. You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- The right to be forgotten. When there is no good reason for us to process your personal data anymore, you can ask us to delete your data. We will take reasonable steps to respond to your request. If your personal data is no longer needed and we are not required by law to retain it, we will delete, destroy or permanently de-identify it.
- The right to restrict processing. You have the right to restrict the processing of your personal data in certain situations (e. g. you want us to investigate whether it is accurate; we no longer need your personal data, but you want us to continue holding it for you in connection with a legal claim).
- The right to object processing. Under certain circumstances you have the right to object to certain types of processing (e. g. receiving notification emails). However, if you object to us using personal data which we need in order to provide our Services, we may need to close your payment account as we will not be able to provide the Services.
- The right to file a complaint with a supervisory authority. You have the right to file a complaint directly to the State Data Protection Inspectorate of Lithuania if you believe that the personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. You may apply in accordance with the procedures for handling complaints that are established by the State Data Protection Inspectorate and which may be found by this link: https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas.
- Rights related to automated decision-making. You have the right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects. In particular, you have the right:
- to obtain human intervention;
- to express point of view;
- to obtain an explanation of the decision reached after an assessment; and
- to challenge such a decision.
- Right to withdraw your permission. If you have given us consent, we need to use your personal data, you can withdraw your consent at any time. It will have been lawful for us to use the personal data up to the point you withdrew your permission
If you would like to exercise any of these rights, please contact us via email: firstname.lastname@example.org. For security reasons, we will not be able to process your request if we are not sure of your identity, so we may ask for your ID as proof.
Your requests will be fulfilled, or fulfillment of your requests will be refused by specifying the reasons for such refusal, within 30 (thirty) calendar days from the date of submission of the request that complies with our internal rules and the GDPR. The afore-mentioned time frame may be extended by 60 (sixty) calendar days taking into account the complexity and number of the requests. The Company will inform you of any such extension within 30 (thirty) calendar days of receipt of the request, together with the reasons for the delay.
We may refuse to satisfy your request if the exception and/or limitation to the exercise of data subjects’ right set out in the GDPR apply, and/or if your request is found to be manifestly unfounded or disproportionate. If we refuse to satisfy your request, we will give you our reason for such refusal in writing.
12. Contact us
You may contact us by writing an email to email@example.com.