Privacy Policy

This Privacy Policy describes the general principles on how Change processes Users’ personal data and is applicable to any person who uses, has used or has expressed intent to use the services of Change. All of the definitions used in and all circumstances not covered by this Privacy Policy shall be regulated by the Terms and & Conditions of Change and/or Regulation (EU) 2016/679.

The policy concerning the processing of cookies is described in Cookie Policy and is accessible on the Website.

Change has appointed a data protection officer, who can be reached via dpo@getchange.com. All of the inquiries and complaints concerning the processing of personal data should be addressed to said email address.

1. How is personal data collected?

1.1. Change is to be considered a data controller in respect of personal data collected and processed in respect of providing Services to the Users.

1.2. Generally personal data is collected directly from the User, and from the information and documents the User has provided.

1.3. But, in order to comply with the legal obligations personal data is also collected from other sources than the User, e.g. third parties and public sources.

2. Which categories of personal data is Change processing?

2.1. Change is processing the following categories of personal data:

2.1.1. identification data, e.g. name, date and place of birth, address;

2.1.2. identity document data, e.g. photo of the document, number and validity;

2.1.3. contact data, e.g. phone number, email address;

2.1.4. financial data, e.g. ownership and source of fund;

2.1.5. transaction data, e.g. transaction sums, identification numbers and counter-parties, bank account number(s);

2.1.6. other data used for performing customer due diligence measures, e.g. media coverage, occupation and connection to other persons; and

2.1.7. User’s correspondence.

3. For which purposes personal data is processed?

3.1. In general Change is processing User’s personal data for the performance of or entering into a contract with the User. Each User’s personal data is processed for the purposes of providing the Services to the User. Without processing the User’s personal data, Change would be unable to provide Services to the User.

3.2. The purposes for which Change is processing personal data are the following:

3.2.1. fulfilling a contractual obligation, e.g. executing User’s transaction orders and ensuring the safety of the User’s assets;

3.2.2. fulfilling a legal obligation, e.g. ensuring the security of accessing the Account and the transactions and using the data for accounting purposes;

3.2.3. public interest, e.g. by performing necessary acts in order to prevent money laundering and the financing of terrorism; and

3.2.4. sending informative and promotional notifications under a revocable consent received from the User.

3.3. For entering into and for the performance of the contractual agreement between the User and Change and for public interests, Change is applying certain automated decision-making methods to assess the User’s capability, suitability and behavior, whether to enter into or to continue a contractual agreement between the User and Change. The aforesaid assessment is accompanied by human-intervention by an employee of Change, who will perform the final assessment.

4. Which persons have access to the personal data?

4.1. The personal data of the User is being processed by the following categories of data recipients:

4.1.1. Change’s employees responsible for specific tasks regarding the Services;

4.1.2. data processors who help Change with providing the Services, e.g. service providers for the maintenance of our IT-systems and for fulfilling our legal obligations;

4.1.3. third parties to whom Change is required to transfer data under applicable legislation, e.g. relevant state institutions and sector-specific authorities.

4.2. Change has engaged a third-party service provider, Onfido Ltd, a company located and registered in the United Kingdom, for obtaining certain information required in relation to the fulfilment of its obligations under anti-money laundering and terrorist financing prevention rules. While providing services to Change, Onfido Ltd processes User’s personal data as a data processor, however, for enhancing its machine learning capabilities Onfido Ltd is also processing User’s personal data as a data controller. To acquaint itself with the relevant data processing activities which Onfido Ltd undertakes as a data controller the User should read and review the privacy policy located on https://onfido.com/privacy. The User should be aware that Change takes no responsibility in relation to processing activities Onfido Ltd undertakes as a data controller and the User is free to exercise their rights as data subjects in relation to Onfido Ltd fully and independently.

4.3. Change is not responsible for the actions and processing activities of any third parties. Third parties are considered to be separate data controllers, whose services can be procured by concluding separate agreements with them. Third parties may transfer User’s personal data to Third Countries and process it for independent purposes.

4.4. Certain activities of Change may result in the transferring of personal data to Third Countries, meaning countries located outside the EU/EEA, and to countries in relation to which the EU Commission has not issued an adequacy decision, e.g. the US. For ensuring that the User’s data is protected, Change applies appropriate safeguards in the form of standard data protection clauses adopted by the European Commission for the transfers. In case the User wishes to know more about the safeguards and obtain a relevant copy of them, please contact Change using the details specified above.

4.5. Change shall maintain the confidentiality of all information of which Change became aware on the basis of its relationship with the User, including information concerning the User and the Payment Account and Payment Transactions thereof, unless the right or obligation to disclose information arises from legislation.

4.6. Change shall be released from the obligation to maintain confidentiality to the extent that the User has granted consent to the disclosure of information in writing or in Change Apps or Website or to the extent a disclosure of confidential information is allowed or required under applicable laws and/or mandatory orders by regulatory authorities.

5. How long is personal data stored?

5.1. User’s personal data is generally retained as long as the User is using the Services. After the User has stopped using the Services and the User Account has been closed, the User’s personal data shall be retained as long as any claims can be presented on the basis of such data under applicable legislation.

5.2. Certain data, e.g. data obtained for the purposes of the fulfilment of obligations related to anti-money laundering and terrorist financing prevention, or data necessary for accounting purposes, shall be retained as required under applicable legislation and industry standards. Generally, respectively at least for 5 or 7 years since the date of closing the User Account, but not longer than 10 years.

5.3. Change shall immediately terminate processing the data that is processed under the User’s consent, if the consent is revoked.

6. What are the User’s rights regarding data processing?

6.1. Each User, as a data subject, is, at any time, entitled to exercise the following rights:

6.1.1. The right to request the correction of the User’s personal data;

6.1.2. The right to request access to the User’s personal data;

6.1.3. The right to request the erasure of the User’s personal data, e.g. if the processing is based on the User’s consent;

6.1.4. The right to request the restriction of processing of the User’s personal data;

6.1.5. The right to object to the processing of the User’s personal data;

6.1.6. The right to exercise data portability in cases where such data has been provided for the performance of or entering into a contractual agreement by accepting the Terms or has been provided under the consent; and

6.1.7. The right to lodge a complaint to Estonian Data Protection Inspectorate at www.aki.ee.