PERSONAL DATA PROCESSING POLICY OF THE FAGURA PLATFORM “Policy”

Effective from April 18, 2024

IDENTITY AND CONTACT DETAILS OF THE CONTROLLER

OCN FAGURA MARKETPLACE S.R.L. – a limited liability company, organized and operating in accordance with the laws of the Republic of Moldova, with its registered office located in Chișinău, Buiucani sector, Alba-Iulia street, 194/3, apt. (office) 15, IDNO 1018600006071, with unique registration code 41247936, aims to ensure the safety of personal data of individuals accessing the crowdfunding platform and benefiting from our services.

As a provider of participatory financing services, currently in the process of authorization in accordance with the Law of the Parliament of the Republic of Moldova no. 181 from July 7, 2023, regarding participatory financing services (Law 181/2023), Fagura makes available to Users the Fagura Platform, a digital participatory financing platform available at www.fagura.com (the “Platform”), through which Users registered as Project Developers are connected with Users registered as Investors by facilitating the granting of loans to Project Developers, who have the opportunity to publish Projects for the purpose of obtaining financing, as Fagura’s clients, from Investors who can finance the published Projects by granting Loans (collectively referred to as “Fagura”, “We”, “Fagura Service Operator”), services that involve personal data processing operations.

To access the Platform and use Fagura Services, you agree to the provisions of this Policy (along with our Terms and Conditions and any other documents referenced therein), including the processing of your personal data.

Since we constantly seek to improve our services and comply with applicable laws and regulations, we may modify this Policy from time to time, so please check this Policy periodically. If we make changes that we consider important or that affect your rights, we will notify you through a notification.

GENERAL INFORMATION REGARDING DATA PROCESSING ON THE PLATFORM

As a personal data controller, we have drafted this personal data processing policy (“Policy”) in accordance with the Administrative Code of the Republic of Moldova no. 116/2018 and the Law of the Parliament of the Republic of Moldova no. 133 from July 8, 2011, regarding the protection of personal data (Law 133/2011), including the provisions of Regulation (EU) 679/2016, by which we aim to inform you about the following aspects:

Categories of data subjects;
Personal data processed / Purposes of data processing / Legal basis;
How long we retain your data;
Who we share personal data with;
Where we store processed data;
Data security measures;
The rights you have over your personal data.

In this Policy, the following terms are interpreted as defined below:

„GDPR”	represents Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
“Law 181/2023”	represents the Law of the Parliament of the Republic of Moldova no. 181 from July 7, 2023, regarding participatory financing services;
“Law 133/2011”	represents the Law of the Parliament of the Republic of Moldova no. 133 from July 8, 2011, regarding the protection of personal data;
„Controller”	represents a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal data; when the purposes and means of processing are determined by Union or national law, the controller or the specific criteria for its designation may be provided for by Union or national law;
„Personal data”	represents any information relating to an identified or identifiable natural person;
„Data subject”	represents an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as: a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person; in this Policy, the Data subjects may include, but are not limited to, Project Developers, Investors, employees of Users, etc. – the Project Developer and the Investor;
„Processing”	represents any operation or set of operations performed on personal data or on sets of personal data, with or without automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
„Consent” “User”	represents any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them; represents any Investor or Project Developer, a natural or legal person, who creates an account on the Platform and, where applicable, benefits from the Services of the Fagura Platform;
„Registration Form”	represents the online form completed by the Borrower or Investor to obtain the status of Platform User;
„Project Developer”	represents any legal entity or individual conducting professional activity under a form of organization provided by law, who intends to obtain financing through the participatory financing platform Fagura, under the conditions of this document;
„Investor”	represents any natural or legal person who has successfully completed the process of creating a User account – Investor type on the Platform and grants loans for participatory financing through the Platform;
„Commercial communication”	represents information or communication from Fagura addressed to potential Investors or potential Project Developers/Users regarding the services offered by Fagura;
„CNPDCP”	represents the National Center for Personal Data Protection of the Republic of Moldova

This section is completed with the definitions section of the Terms and Conditions of Use of the Fagura Platform.

CATEGORIES OF DATA SUBJECTS

The data subjects of the processing operations are the individual users of the Platform and Fagura Services, the representatives (legal and conventional) – natural persons of the legal entity users and the Project Developers, the natural persons acting as guarantors, as well as third-party beneficiaries of certain services (e.g., individuals to whom users send an invitation to register on the Platform), and any person who accesses the Platform according to the provisions below and the Terms and Conditions of the Platform.

The Platform is not addressed to and is not intended for individuals under 18 years of age. Fagura does not intend to process the personal data of individuals under 18, thus, users who are under 18 cannot benefit from a user account.

PERSONAL DATA PROCESSED / PURPOSES OF DATA PROCESSING / LEGAL BASIS

Personal data refers to any data/information that helps us identify the data subjects; personal data processing refers to any individual who visits the Platform, registered individual users, or other individuals indicated by Users (legal/conventional representatives of legal entity users, individuals acting as guarantors, individuals to whom users send the registration invitation on the Platform) who can be identified based on the data provided on the Fagura Platform. There is data that allows us to identify you directly (e.g., name and surname), while processing other information leads to your indirect identification (e.g., the IP address of the Device the User uses to access the User Account – both are categories of personal data).

Accessing the Platform

Data processed / Purposes of data processing / Legal basis / Recipients / Retention period:

When you, the User, access the Platform, different information is automatically transferred between your terminal and our server; depending on how you access the Platform, these may include:

The IP address of your internet-connected device;
Time zone settings and the country and city from where you access the Platform, the name and URL of the accessed file, the web page from which the access was made, the browser, the type, and version of the device used by you;
The operating system of the device, the manufacturer of the device;
The name of the mobile communications service provider;
Wi-Fi/Bluetooth settings;
HTTP/HTTPS protocol data;
The location of the device (if geolocation is enabled) from which you connect to the Platform.

Purpose and legal basis of processing:

Ensuring optimal connection, ensuring easy use of the Platform, assessing system security and stability. The legal basis for processing the personal data mentioned above is represented by our legitimate interest, according to Article 6(1)(f) of the GDPR. Our legitimate interest derives from the processing purposes mentioned above.

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for the relevant authorities/entities and our partner that provides hosting services for the data and information operated through the Platform, DigitalOcean (a company registered and operating in the United States of America, with its registered office at 01 6th Ave. New York).

Retention period:

The data is stored for a period of 6 months, after which it is automatically deleted/irreversibly anonymized (making it impossible to identify you). Geolocation data (see device data) is deleted after you stop using our website.

Creating a user account on the Platform

Data processed / Purposes of data processing / Legal basis / Recipients / Retention period:

Whether you want to access the Platform as an Investor or as a Project Developer, to be able to provide our services, we need to process the following personal data after creating a user account and by completing the necessary online form with data that directly identifies the Data Subject: name, surname, phone number, email address, password, logs regarding the User’s consent (actions of giving consent), data provided by the User/extracted through connections (to the extent that this data is personal data under the law), necessary for providing the Services in the basic configuration of the Platform according to the Terms and Conditions of Use of the Fagura Platform.

Once your User account is validated by you, you will be assigned a unique code: User account ID, which we will process further in accordance with this Policy.

Purpose and legal basis of processing:

Creating the User account to use the Platform and benefit from the Services (including completing the preliminary formalities for validating the creation of the user account), both as an Investor, if you want to grant Loans to Developers, and as a Project Developer, if you want to attract funding for your own Project. Creating an account on the Platform is a necessary preliminary formality to benefit from the Platform’s Services. The mandatory data for these formalities are necessary to execute the obligations related to the contractual relationship between us and the beneficiaries of the Services. The legal basis for processing the personal data mentioned above is to take steps at the request of the data subject before concluding a contract, according to Article 6(1)(b) GDPR.

Recipients / categories of recipients:

Retention period:

We will store the data and information processed for this purpose for the duration of the contractual relationship between Fagura and the User, plus a period of 3 (three) years from the date of termination of the last contract or from the last login by the User, whichever occurs later.

Verifying the user’s identity

Data processed / Purposes of data processing / Legal basis / Recipients / Retention period:

Whether you want to access the Platform as an Investor or as a Project Developer, to be able to provide our Services, we need to process the following personal data to verify the user’s identity by completing the necessary online form with data that directly identifies the Data Subject: User ID, first and last name, nationality, gender, date of birth, home address, email address, phone number, data from the identity document (e.g., series and number of the identity document, date of issue and expiration of the identity document, personal numeric code), data about the Data Subject’s relationships with the legal entity (employer, position in the company, date of employment, employer phone number); country, identity document, real-time photo, marital status, education, data from utility bills, logs regarding the user’s actions on the Platform, information connecting between our server, the device with which the user completes the registration formalities, mobile device connected to the Onfido interface.

To verify that the Platform Users are the holders of the identity document and that the document does not show signs of fraud necessary when enrolling on the Platform and creating the account, Fagura collaborates with Onfido GmbH (a company registered and operating in Germany under registration number HRB 211512 B, with its registered office at c/o Osborne Clarke, Innere KanalstraBe 15, 50823, Cologne – “ONFIDO”), which provides these Services. Thus, Onfido processes for Fagura the identity data of Fagura clients, namely: (i) individual investors, (ii) administrators/associates (natural persons) of legal entity investors, (iii) administrators/associates (natural persons) of project developers.

The data and information processed by Onfido may include:

An image of an identity document (e.g., an ID card, passport, or driver’s license);
Photos (sometimes taken in quick succession), or;
A video recording of the user and;
Biometric facial identifiers extracted from that recording/images.

If you provide us with information about other individuals (for example, if you represent a Project Developer/Investor and provide information about administrators, partners, members, shareholders, or beneficial owners, or your friends, other than your data), then it is your responsibility to inform them of this Policy and ensure that you have their consent and are authorized to provide us with this data.

Purpose and legal basis of processing:

Verifying the identity of a User is a necessary preliminary formality to benefit from the Platform’s Services. The legal basis for processing the personal data mentioned above is to take steps at the request of the data subject before concluding a contract, according to Article 5(5)(a) of Law 133/2011.

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for relevant authorities/entities and third-party partners: Onfido GmbH (for identity verification services between the Platform User and identity document holders, as well as ensuring that the identity document does not show signs of fraud) and DigitalOcean (for data and information hosting services operated through the Platform).

Retention period:

We will store the data and information processed for this purpose for a period of 5 (five) years in accordance with Law 181/2023, except in the case where the User is part of a loan agreement concluded through the Fagura Platform for a period longer than 24 months, in which case we will store the processed data and information for the entire duration of the loan agreement, plus an additional 3 (three) years (in the case of legal proceedings that extend beyond this period, the data will be processed until the procedures are completed, exclusively for the purpose of those procedures).

Managing the User Account

Data processed / Purposes of data processing / Legal basis / Recipients / Retention period:

If you wish to log in or perform actions from the User Account, it is necessary to process the following personal data for logging into the Platform, using the Services, and Platform features, electronically archiving the information/documents related to the Services, providing support and assistance to Users, evaluating the Services, developing, maintaining, and improving the Platform, ensuring Platform security, providing responses to complaints, claims, and requests, issuing payment documents, archiving logs regarding the User’s actions and transaction records:

The IP address of the device the User accesses the Platform from and other device-related information (when the Platform is used);
The date and time of access to the Platform;
The (technical) request to access the Platform;
HTTP response code;
The amount of data transferred;
The version of the Platform;
The operating system;
Error identification and handling;
Data from the User account;
Data related to transactions;
Data for issuing payment documents;
Bank account data.

Purpose and legal basis of processing:

Managing the User Account is a necessary formality to benefit from the Platform’s Services. We need this data to execute the contractual and legal obligations stipulated by Law 181/2023 and Law 133/2011. The legal basis for processing the personal data mentioned above is the fulfillment of legal obligations, according to Article 5(5)(a) and (b) of Law 133/2011, as well as Article 6(1)(b) and (c) GDPR.

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for relevant authorities/entities and third-party partners: DigitalOcean (for hosting services of data and information operated through the Platform) and the payment processor Victoriabank or Paysera.

Retention period:

We will store the data and information processed for this purpose for a period of 5 (five) years in accordance with Law 181/2023, except in the case where the User is part of a loan agreement concluded through the Fagura Platform for a period longer than 24 months, in which case we will store the data and information processed for the entire duration of the loan agreement, plus an additional 3 (three) years (in the case of legal proceedings that extend beyond this period, the data will be processed until the procedures are completed, exclusively for the purpose of those procedures).

Creating the Investor Profile

Data processed / Purposes of data processing / Legal basis / Recipients / Retention period:

If you wish to access the Platform as an Investor, it is necessary to process the following personal data for creating an Investor profile by completing the necessary questionnaires with data that directly identifies the Data Subject:

Information regarding the Data Subject’s knowledge and experience in the field of investments: The history and level of knowledge in the field of investments, as well as income and education level, for the purpose of evaluating the investor’s profile and the appropriateness of the participatory financing services;
Simulation of the investor’s ability to bear losses: information about income, assets, and existing or future commitments;
Information necessary for Scoring: Marital status, whether you own the property at your residence, whether you have a mortgage;
Information regarding politically exposed persons (PEP): if you represent an Investor and provide information about administrators, partners, members, shareholders, or beneficial owners, other than yourself, then it is your responsibility to inform them of this Policy and ensure that you have their consent and are authorized to provide us with this data.

Purpose and legal basis of processing:

Creating the Investor profile is a necessary preliminary formality to benefit from the Platform’s Services. The mandatory data for these formalities are required to fulfill the legal obligations stipulated by Law 181/2023. The legal basis for processing the personal data mentioned above is the fulfillment of legal obligations, according to Article 5(5)(b) of Law 133/2011.

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for relevant authorities/entities.

Retention period:

We will store the data and information processed for this purpose for a period of 5 (five) years in accordance with Law 181/2023, except in the case where the User is part of a loan agreement concluded through the Fagura Platform for a period longer than 24 months, in which case we will store the data and information processed for the entire duration of the loan agreement, plus an additional 3 (three) years (in the case of legal proceedings that extend beyond this period, the data will be processed until the procedures are completed, exclusively for the purpose of those procedures).

Details on Profiling and Automated Decision-Making

Based on the information provided and using settings configured in accordance with legal requirements (e.g., previous investments, risk appetite, etc.), Fagura creates the profile, prior to investment contracting procedures.

Profiling means evaluation, based on certain parameters (e.g., previous investments, etc.) to allocate a user to a predefined category, based on the evaluation. An automated decision based solely on processing consists of making decisions based on technical, automated means, using data and information provided by the data subject or information resulting from profiling.

We use automated decision-making to evaluate the results of the assessment questionnaire and determine if the data subject understands the level of risk associated with investments in Projects on the Platform and to simulate whether you can bear the risk of losses. If the analysis concludes that certain investments are not suitable for your profile or may pose a risk to your financial situation, we will provide certain warnings on the Platform and assess which category of investors you belong to.

The Platform reviews automated analysis methods in line with the policies/procedures of supervisory authorities and internal policies.

The Platform creates the profile to fulfill the legal obligation of assessing the level of risk and experience and knowledge in the field of investments, as required by Law 181/2023 and EU Regulation 1503/2020. We carry out these steps under Article 22(2)(a) GDPR, which allows us to perform the evaluation in the execution of a contract – specifically the contractual relationship between the Investor and the Platform, as well as under Article 5(5)(b) of Law 133/2011 to fulfill the legal obligations we have under anti-money laundering legislation. At the same time, the Platform allows the User to challenge the decision made as a result of the process and express their point of view, ensuring the intervention of a person on behalf of the Operator. In addition, the User can decide on their own to continue the activity on the Platform with a different classification (e.g., you can opt to be classified as a non-sophisticated investor, even though as a result of the completed questionnaire and automated methods, a sophisticated investor profile was generated).

Creating the Developer Profile

Data processed / Purposes of data processing / Legal basis / Recipients / Retention period:

If you wish to access the Platform as a Developer, it is necessary to process a series of personal data (including from the documentation provided by the Project Developer), which may concern the Project Developer and/or the project itself, including those indicated in the key information sheet.

Purpose and legal basis of processing:

Creating the Developer profile is a necessary preliminary formality to benefit from the Platform’s Services for this role. The mandatory data for these formalities are required to fulfill the legal obligations stipulated by Law 181/2023 and EU Regulation 1503/2020. The legal basis for processing the personal data mentioned above is the fulfillment of legal obligations, according to Article 5(5)(b) of Law 133/2011.

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for relevant authorities/entities.

Retention period:

We will store the data and information processed for this purpose for a period of 5 (five) years in accordance with Law 181/2023, except in the case where the User is part of a loan agreement concluded through the Fagura Platform for a period longer than 24 months, in which case we will store the data and information processed for the entire duration of the loan agreement, plus an additional 3 (three) years (in the case of legal proceedings that extend beyond this period, the data will be processed until the procedures are completed, exclusively for the purpose of those procedures).

Providing Services Related to the Crowdfunding Platform

To provide you with the Services offered by the Platform, after contracting them by you, it may be necessary to process the following personal data:

Contact data (phone number, postal address, email address);
Authentication data on the Platform (User ID and password);
Technical data (data about visitor sessions on the Platform’s website, logs regarding user actions on the Platform);
Transaction data (transactions performed by the User through the Platform, User preferences, auto-loan placement settings);
Data regarding Loan contracts and other contracts/documentation concluded through the Platform.

For all payment processing services processed for intermediation operations conducted on the Platform and to which Fagura has outsourced the payment services and is authorized as a payment service provider in accordance with Directive (EU) 2015/2366, Fagura collaborates with – Paysera LT, UAB (a company organized and operating in accordance with Lithuanian law, with its registered office at Pilaitės av. 16, 04352 Vilnius, Lithuania, having the legal entity code 300060819, – “Paysera”)/ Banca Comercială Victoriabank S.A. (a credit institution organized according to Moldovan law as a joint-stock company, with its registered office in Chisinau, str. 31 August 1989, 141, IDNO 1002600001338 – “Victoriabank”).

In relation to Fagura, in order to fulfill and execute its contractual obligations and to provide payment processing services, Paysera/Victoriabank will process the following personal data on behalf of and for Fagura:

First and last name, pseudonym, gender, date and place of birth, nationality, signature, data from civil status documents, phone/fax, address (domicile/residence), email address, profession, place of work, professional training (graduation diplomas, studies), income, source of income, economic and financial situation, data regarding owned assets, bank details, public function held, political exposure, photograph or video recording of the facial image, personal numeric code, series and number of the identity document, data regarding the commission of crimes, IP address.

Purpose and legal basis of processing:

The purpose of this processing is to ensure the fulfillment of Fagura’s obligations as an intermediary regarding the contracting of Fagura Services by the data subjects. The processing of personal data is necessary for the performance of the contract to which the data subject is a party (according to the Terms and Conditions of the Fagura platform), in accordance with Article 5(5)(b) of Law 133/2011.

Recipients / categories of recipients:

Paysera LT, UAB, a company organized and operating in accordance with Lithuanian law, with its registered office at Pilaitės av. 16, 04352 Vilnius, Lithuania, having the legal entity code 300060819, to – “Paysera”;
Banca Comercială Victoriabank S.A., a credit institution organized according to Moldovan law as a joint-stock company, with its registered office in Chisinau, str. 31 August 1989, 141, IDNO 1002600001338 – “Victoriabank”;
DigitalOcean (a company registered and operating in the United States of America, with its registered office at 01 6th Ave. New York, – “DigitalOcean”) – which provides hosting services for the data and information operated through the Platform.

Retention period:

We will store the data and information processed for this purpose for a period of 5 (five) years in accordance with EU Regulation 1503/2020, except in the case where the User is part of a loan agreement concluded through the Fagura Platform for a period longer than 24 months, in which case we will store the data and information processed for the entire duration of the loan agreement, plus an additional 3 (three) years (in the case of legal proceedings that extend beyond this period, the data will be processed until the procedures are completed, exclusively for the purpose of those procedures).

Compliance with the Operator’s legal obligations

Data processed / Purposes of data processing / Legal basis:

We process your personal data to comply with the provisions of Regulation 1503/2020, but also to comply with legislation on the prevention of money laundering and terrorism financing and fraud. For example, Article 5 of the Regulation requires compliance with certain diligence obligations (i.e., the project developer has no criminal record).

Purpose and legal basis of processing:

Fagura processes personal data for this purpose to fulfill the legal obligations of the Company (Article 5(5)(b) of Law 133/2011).

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for the relevant authorities/entities and the partner DigitalOcean (a company registered and operating in the United States of America, with its registered office at 01 6th Ave. New York, – “DigitalOcean”) – which provides hosting services for the data and information operated through the Platform.

Retention period:

We will store the data and information processed for this purpose for a period of 5 (three) years in accordance with Law 181/2023, except in the case where the User is part of a loan agreement concluded through the Fagura Platform for a period longer than 24 months, in which case we will store the data and information processed for the entire duration of the loan agreement, plus an additional 3 (three) years (in the case of legal proceedings that extend beyond this period, the data will be processed until the procedures are completed, exclusively for the purpose of those procedures).

Managing the contractual relationship with the User and improving Fagura’s services

Data processed / Purposes of data processing / Legal basis:

We process the following personal data to respond to all your requests and also to improve and develop our services:

Contact data (phone number, postal address, email address).

In addition, to resolve complaints and more, we may send you messages regarding changes or contact you if there are issues related to your account/investment, such as insufficient identity information or payment errors.

Purpose and legal basis of processing:

Fagura processes personal data for this purpose to perform a contract with you (Article 6(1)(b) first sentence of the GDPR), but processing is also necessary for our legitimate interests or those of a third party (Article 6(1)(f) of the GDPR).

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for relevant authorities/entities.

Retention period:

We will store the data and information processed for this purpose only for the necessary duration of processing these data and until the basis on which Fagura relies for data processing ceases.

Sending marketing communications based on selected preferences

Data processed / Purposes of data processing / Legal basis:

Our commercial communications will be sent periodically by email and/or SMS, depending on your preferences, if you choose to subscribe to them. When you give us your consent in this regard, you will receive information about the latest Fagura projects that may be of interest to you.

Purpose and legal basis of processing:

This is done solely based on your consent as the data subject (Article 6(1)(a) of the GDPR). This mechanism leads to receiving offers tailored to a client/a segment of clients and may result in uneven distribution of offers to our client base. Once you give consent to process your data, you can revoke this consent at any time, without further obligations, with effects for the future, without affecting the data processing already carried out based on the consent.

We remind you that you can withdraw your consent at any time by unsubscribing from commercial communications if you no longer wish to receive information about Fagura’s new projects/commercial communications from Fagura.

Recipients / categories of recipients:

When we act as a data controller, as a rule, we do not transfer the data collected for the purpose indicated above to third parties, except for relevant authorities/entities.

We will use your personal data only for the purposes for which we processed it, except when we consider it necessary to use it for another purpose compatible with the original purpose. If the new purpose is not compatible with the initial one, we will notify you within a reasonable time and inform you of the legal basis that will allow us to operate this change.

Retention period:

We will store the data and information processed for this purpose only for the necessary duration of processing these data and until the basis on which Fagura relies for data processing ceases or until you decide to withdraw your consent.

Legal reports to authorities, procedures, and investigations conducted by competent authorities

Data processed / Purposes of data processing / Legal basis:

The data from the User Account, which we may be required by law to provide to the relevant authorities, according to legal reporting obligations, as well as in case of investigations conducted by contracting authorities, in accordance with the law;

Responding to formal/official inquiries/investigations from authorities;

Compliance with our legal obligations during/for investigations conducted under the law;

Financial audit, reporting, and other tax obligations, and for generating reports aimed at improving our business model).

Purpose and legal basis of processing:

Legal basis: Article 5 of Law 133/2011, as well as the provisions of Article 6(b) GDPR (legal obligations of the data controller) and Article 6(f) GDPR (legitimate interest of the data controller or third-party partner)

Recipients / categories of recipients:

Retention period:

We will store the data and information processed for this purpose until the clarification/completion of investigations/inquiries, plus 3 (three) years, and for tax documentation – 10 (ten) years starting from the next financial year.

Protection of the rights/interests of the data controller/defense procedures/debt recovery actions/legal actions

Data processed / Purposes of data processing / Legal basis:

The data from the User Account, according to this Policy.

Purpose and legal basis of processing:

Establishing, exercising, and/or defending our legitimate rights. Such data may be contained in the documentation we may need to present in court/to relevant authorities to protect our legitimate interests and rights.

Legal basis: Article 6(1)(c) GDPR (fulfillment of contractual obligations arising from the mandate contract) and Article 6(1)(f) GDPR (legitimate interest of the data controller or third-party partner).

Recipients / categories of recipients:

Retention period:

We will store the data and information processed for this purpose until the conclusion of the court proceedings/actions and/or the enforcement of the final court decision.

Business transfer / corporate operations

Data processed / Purposes of data processing / Legal basis:

The data from the User Account, according to this Policy.

Purpose. Description of processing. Legal basis.

Managing, expanding, or developing the Platform’s / Operator’s activity.

In the case of a (potential) business transfer (we sell part of the business or certain assets) related to the Operator/Platform, or investments are made regarding the Operator, it may be necessary to disclose your data to the potential buyer of those business activities or assets/investor, to ensure the operation is carried out; (ii) in case the Operator (or a substantial part of its assets/shares) is acquired by a third party or is subject to reorganization operations (merger, division, etc.).

Legal basis: Article 6(1)(b) GDPR (fulfillment of legal obligations) and Article 6(1)(f) GDPR (legitimate interest of the data controller or third-party partner).

Recipients / categories of recipients:

We may need to share your data with the potential buyer, including consultants/specialists – auditors, based on agreements that may be necessary in this regard (e.g., data processing contract for the purpose of the transaction), but always based on strict confidentiality obligations assumed by these recipients, which will also include the assumption of necessary security measures for the protection of your data. The data will also be shared with our consultants/specialists, based on confidentiality and data security obligations.

Retention period:

We will store the data and information processed for this purpose until the completion of the contractual relationships with the User, in case the operations involve a transfer to a third party.

HOW LONG WE KEEP YOUR DATA

We will keep your personal data only for the period necessary to fulfill the purposes for which we collected it, including for the purpose of complying with any legal or tax requirements, but the period for processing contracts and records related to services and transactions cannot be less than 5 years, according to Article 26 of EU Regulation 1503/2020.

To determine the appropriate retention period for personal data, we take into account the quantity, nature, and sensitivity of personal data, the potential risk of harm caused by unauthorized use or disclosure of personal data, the purposes for which we process the data, and whether we can achieve these purposes by other means.

WHO WE SHARE PERSONAL DATA WITH

In certain circumstances, to provide you with Fagura services, we will share your personal data with our licensed and authorized service providers we collaborate with. When we share your data, we require them to ensure data protection through strict data security measures and not to use the data other than according to our precise and clear instructions, specifying exactly the personal data processed, the purposes of processing, the manner of processing, storage, and retention. They are not authorized to use the data in any situation for their own purposes or for other purposes or in any manner other than those specifically entrusted by us.

Partners providing support functions/related functions necessary for operating the service platform and to which Fagura has outsourced some support functions include:

Onfido GmbH (a company registered and operating in Germany under registration number HRB 211512 B, with its registered office at c/o Osborne Clarke, Innere KanalstraBe 15, 50823, Cologne – “ONFIDO”) – which provides KYC (Know Your Customer) services in the PFP;
DigitalOcean (a company registered and operating in the United States of America, with its registered office at 01 6th Ave. New York, – “DigitalOcean”) – which provides data and information hosting services operated through the PFP;
Paysera LT (a company organized and operating in accordance with Lithuanian law, with its registered office at Pilaitės av. 16, 04352 Vilnius, Lithuania, having the legal entity code 300060819), to – “Paysera” which provides payment services;
Banca Comercială Victoriabank S.A., a credit institution organized according to Moldovan law as a joint-stock company, with its registered office in Chisinau, str. 31 August 1989, 141, IDNO 1002600001338, BIC Code VICBMD2X – “Victoriabank” which provides payment services.

You can review the data processing policies of Fagura partners by accessing the links inserted below:

Onfido: https://onfido.com/privacy/
DigitalOcean: https://www.digitalocean.com/legal/privacy-policy/
Paysera: https://www.paysera.com/v2/en/legal/privacy-policy

WHERE WE STORE PROCESSED DATA

All data and information processed by Fagura are stored in the data center of DigitalOcean, the provider of DC Hosting services we collaborate with, located in Frankfurt, Germany.

All data and information processed by DigitalOcean for the provision of DC Hosting Services are stored in data centers located in Europe, specifically in Frankfurt, Germany. Given that DigitalOcean’s headquarters are outside the European Union, there is a possibility that they may transfer personal data to countries other than the country where the data was initially collected. Therefore, for personal data they receive from the EEA and Switzerland, DigitalOcean has certified its compliance with the EU-US Privacy Shield and Switzerland-US Privacy Shield, as established by the US Department of Commerce regarding the collection, use, and retention of personal data from such countries.

Furthermore, DigitalOcean currently uses standard contractual clauses regarding data transfers from the EEA to the US, to the extent that the EU-US Privacy Shield is considered invalid and other means are not yet in place.

DATA SECURITY MEASURES

Fagura ensures the necessary technical and organizational measures for safe data collection, processing, and storage, including against unauthorized access, unauthorized data use, or destruction, loss, or alteration of data. We are committed to keeping the Personal Data of the Data Subjects safe and take all reasonable protective measures to do so.

Fagura ensures technical and organizational measures, including against unauthorized access and unauthorized data use, through measures such as:

Specific IT security means, limited staff access by categories of competences/job tasks and access rights;
Appropriate administrative and organizational measures to ensure the confidentiality of the persons who have access to the data;
Security and guarding of the spaces where/servers on which the data and physical documents in which your data are stored are kept, through specific physical security measures, security of electronic and physical documentation, etc.

In addition, Fagura has developed and implemented several policies and procedures aimed at ensuring the safe processing of the Personal Data of the Data Subjects, such as: Access Control Policy, Backup and Data Restoration Policy, Change Management Policy, Clean Desk Policy, Cryptographic Control Policy, Desktop Computers Use Policy, Information Classification Policy, Information Security Incident Policy, Internet Use Policy, Mobile Computing Equipment Policy, Password Policy, Physical Access Policy, System Monitoring Policy, Remote Access Policy, Risk Assessment Procedure, Segregation of Duties Policy, and finally, Third Party Access Policy.

Furthermore, we make all reasonable efforts to ensure (including through contracts with our suppliers) that our trusted partners manage appropriate technical and organizational measures for processing employee data that we share with them.

YOUR RIGHTS REGARDING PERSONAL DATA

In accordance with the provisions of the GDPR, you have the following rights over your Personal Data:

Right of access: To obtain a copy of the personal data we hold about you, you can make a request to the following email address: info@fagura.com;
Right to rectification/modification (update) of data: You have the right to update the data we process about you if it is inaccurate or incomplete. You can submit a request to the following email address: info@fagura.com;
Right to object: Regarding the data we process based on our legitimate interest, you have the right to object (for reasons related to exceptional situations) to the future processing of your data. This objection will be analyzed in relation to our specific legitimate basis applicable to the processing. You can submit an objection request by email to the following address: info@fagura.com;
Right to deletion: You can contact us at any time to request the deletion of personal data concerning you at the following email address: info@fagura.com. This process may apply in any of the following situations:
- Personal data is no longer necessary for the purposes for which it was collected and processed; or
- You have withdrawn your consent for further processing of the data, and we cannot process these data on another legal basis; or
- Personal data is processed contrary to the law.

Your personal data cannot be deleted if we are required to keep/process them by law or if our legitimate interest, which does not affect the fundamental rights and interests of the data subject, obliges us to keep/process them.

Right to restrict the use of personal data: You can request that certain personal data be marked as restricted during the processing of complaints regarding the accuracy, timeliness of your data, and the legality of their processing, and when, although Fagura no longer needs your data, it must keep them for the purpose of establishing, exercising, or defending a legal right in court. To restrict the processing of data, you can submit a request to the following email address: info@fagura.com;
Right to withdraw consent: For processing based on your consent, you can submit a request to withdraw your consent by email to the following address: info@fagura.com.

If you believe that your rights and interests protected by the GDPR are being violated, you can contact CNPDCP, the data protection supervisory authority in the Republic of Moldova, at www.datepersonale.md.