Dutch translation will follow
Why you should read this.
Who are we
The Trefi Platform, both its public and private environments, is managed by Capital Tool Company Agency Services B.V. (“CTC”). This means that any personal data received from you, either because you are our client or partner or because you visit our websites (notably, www.trefi.nl or https://secure.trefi.com), will be processed by CTC and/or its subsidiaries which, in turn, makes us responsible for the use and protection of this personal data.
At the same time, this makes you, the Data Subject and makes us the Data Controller, using the terminology of the GDPR. Being a Data Controller essentially means that we determine how and why your data is processed.
Our details, should you require the formal details of your Controller are:
Capital Tool Company Agency Services B.V.
Phone: +31 85 87 712 59
Collecting your personal data
The personal data we collect or receive about you depends on the CTC services you use and/or you request from us. Sometimes you provide us with the data directly, like when you become our client or request information from us and other times we collect or maintain data automatically by the use you make of the website(s) and/or Trefi Platform.
We may also collect personal data from public sources or registers, from our partners and professional service providers or from (third party) organisations, if this is adequate and relevant, under our legitimate business interest, in order to evaluate suitability of product for you or to check your identity and interest in accordance with regulations like anti money laundering, trust regulations and others.
What types of personal data we collect
The personal data we maintain is mainly the following:
- Identity and contact details (e.g. name, surname, email address, phone number)
- Financial & commercial information of your business or company, and which could include personal data (such as that related to company directors, freelancers or corporate emails containing personal identity)
- Data that identify or could identify you (e.g. login information, browser type) once you proceed to sign up
- Data on how you use the Trefi website and the Trefi platform (e.g. level of service, response times), which might include your IP address, location, business preferences etc).
How we use your personal data
We may process your personal data:
- To provide the service you’ve contracted with us and address you as required
- To maintain and improve the performance of the Trefi platform, understanding how you use the platform, testing proposed developments and responding to your queries about our platform or services
- To be able to provide client support and respond to any questions or concerns you may have about using our network, products or services
- To process payment information
- To carry out research and statistical analysis including to monitor how customers use our platform and services
- To prevent and detect fraud or other crimes, trace or recover debts
- To monitor compliance with our procedures and our terms & conditions: we might monitor for breaches of terms and conditions or of those relating to our intellectual property.
Lawful bases for processing your personal data
The GDPR only allows us to process your data for certain purposes and under certain conditions. That’s why we only process personal data where we have at least one lawful basis for doing so. The lawful bases for processing are the following a) having your Subject’s consent; (b) being necessary for the performance of a contract with you; (c) being necessary for compliance with a legal obligation; (d) being necessary in order to protect your vital interests; (e) being necessary for the public interest or in the exercise of official authority; or (f) being necessary for the Controller’s or recipient’s legitimate interests, except where overridden by your interests as Data Subject.
CTC process data under the following lawful bases:
- Your consent – This is where you have given us explicit permission to process personal information for a given purpose. For example, if you complete one of our website forms or request information from us. In this scenario, you also have the right to withdraw this consent at any time.
- Legitimate interest – This is where we have a legitimate interest, as a business, to process personal data. For instance, in case of a breach of our policies or when we need to collect personal data in order to enforce claims arising from defaults etc.
- Contractual requirement – This is where we have to process personal data to meet our contractual obligations or services requested from us under legal agreements or because you have asked us to take the required steps to enter into a contract.
- Legal obligation – This is where we have to process personal data in order to comply with the law, such as anti-money laundering obligations (AML).
Who we share your personal data with
We only disclose and share personal data in order to provide the services requested or when we need to rely for certain services on third parties which ensure adequate levels of compliance, security and business expertise. In general, these are:
- Companies in the CTC Group, in order to render or improve our services partners or professional service providers involved in delivering the services you’ve requested.
- Credit reference, fraud prevention, credit scoring agencies, debt collection agencies or other debt recovery organisations, if reasonable for the purpose of protecting us or interests of our clients.
- Law enforcement agencies, regulatory organisations, courts or other public authorities if we have to, or are authorised to by law, in order to enforce our rights or those of our clients or partners.
All of the above might have their own responsibilities in determining the extent of personal data and processing required to do the work so might also operate as Controllers of your data.
- Other Professional Service Providers, who help to support our business and improve our products. These providers are engaged to perform services for and on behalf of CTC and can only access or use your personal data under our instruction including Cloud/Data Storage facilities, Administration/Payroll or Corporate Service Providers (in some circumstances).
Social Network and Third-Party Login
How we keep your personal data secure
We have appropriate technical and organizational security measures in place to help ensure that your personal data is protected against unauthorised or accidental access, use, alteration, or loss. For example:
- We have information security management framework developed in accordance with the ISO 27001:2013:2005 which contains best practices for information security management. These provide a comprehensive set of security controls relating to the availability, integrity, encryption and confidentiality of electronic data, in which a balanced (effective and efficient) system of coherent measures is developed with the aim of protecting IT processes and data from internal and external threats.
- We have specialized IT and security officers who take, review and improve our security measures on an ongoing basis
- Our data centres follow strict security measures as per the Telecommunications Industry Association (TIA) standards
- Our employees are being trained in what the GDPR means and are bound by strict confidentiality clauses
- We apply continuous audit practices
If we have a contract with another organisation to provide us with services on our behalf to process your personal data, we’ll make sure they have appropriate security measures and only process your data in the way we’ve authorised them to unless they have to comply with the law in a supplementary manner. In any case, organisations shall not be entitled to use your personal information for their own purposes.
Please be aware that communications over the internet aren’t secure unless they’ve been encrypted. We can’t accept responsibility for any unauthorised access or loss of personal information that’s beyond our control.
You need to help us keep data safe and we ask you to treat tokens, passwords, etc. confidentially and with the utmost care and communicate any data breach as soon as you become aware.
How long we retain your personal data
We understand that your personal data, insofar as it is not anonymized or processed solely for archiving purposes you request, in the public interest, or scientific, historical, or statistical purposes, should not be retained for longer than necessary in relation to the purpose for which it was processed. Moreover, we understand that your right to be forgotten might mean that we erase your personal data even sooner than would otherwise be the case.
At CTC we retain your personal data for as long as you are a client of ours or of one of our partners. Otherwise, your personal data is deleted (i) on your request or (ii) when we decide that it is no longer necessary for the purpose for which it was collected (usually reviewed on an annual basis).
If you are our client, you may also delete your personal information by logging on and closing your account. This will include personal data about other individuals you have entered. You can only delete the data if you have no outstanding legal or contractual obligation under the terms and conditions of the platform.
Nevertheless, you should be aware that it is sometimes necessary for us to keep your personal information for longer periods of time, such as, for example, if there is a legal requirement to retain it or a legitimate business interest.
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when you access a website. It allows the website to recognise your device and store some information about you or your device.
Some of these cookies collect information required in order for the website to work properly. Therefore, if you do not allow these cookies, or disable them via your browser, some parts of the website may not work properly, such as login in or sending forms. We use session cookies (transient cookies) in our website which we consider to be strictly necessary cookies under our legitimate interest to provide you with a functioning website. The session cookie is erased when you close your browser and we typically do not collect personal data from your computer. They typically store session identification information that does not personally identify you.
We also use the cookies of Google Analytics which allows to us to see information on the activities of visitors to our website and users of our service, including statistics such page views, source and time spent on the website. The information is anonymized. These are analytical cookies.
These are your privacy rights
The GDPR grants data subjects a wide array of rights to help them exercise control over their personal data. These are the following:
- Right to access your personal data: you can access your data at any time to get a copy of the personal information we hold about you, unless your request proves to be manifestly unfounded or excessive.
- Right to rectify your personal data: if you think we’re holding inaccurate or outdated data about you, can do it directly if you have an account with us.
- Right to block or object to processing being carried out in certain circumstances (such if you believe your rights should override our legitimate interest)
- Right to port your personal data to another service: you are entitled to obtain any personal data we might have on you in a digital format. We can also transfer this data directly to another controller. We can do this if the lawful basis for processing was consent or the performance of a contract.
- Right to be forgotten by us: you can ask for your data to be deleted in certain circumstances (e.g. by withdrawing your consent, no legal obligation on our part), by using the delete functionality.
- Right to opt-out of marketing communications: you can object to your data being processed for direct marketing purposes at any time. You can choose to opt out of all marketing communications by unsubscribing completely or just from receiving marketing messages in a particular way (email, call, SMS, post etc) This includes the automated processing of your personal data, including for profiling purposes.
- Right to complain about us to the data supervisory authority if we fail to deliver: for example, via this contact information related to the authority in the relevant country you are in. In the Netherlands, for example, this would be https://autoriteitpersoonsgegevens.nl or Germany http://www.bfdi.bund.de/.
Third Party Sites
Where is your personal data stored
The bulk of the personal data we collect is processed in our secure hosting facility.
All data, including personal data, is stored in our servers, including our third-party (back-up) servers in the United Kingdom and the EU-located datacenters or MS Cloud.
At this point in time we do not transfer personal data to recipients outside the European Economic Area (EEA), unless by your action (like sending an invoices outside the EU). Should that be the case in the future, we will inform you sufficiently and make sure that we rely on adequacy decisions, EU standard contractual clauses or other EU approved mechanisms for such transfers.
Complaints, Questions and Suggestions
Thank you for getting this far. We have aimed to make this information easily accessible and easy to understand. If, however, you still have any outstanding questions, any suggestions or any queries in regards to the collection and processing of your personal data please contact us directly at firstname.lastname@example.org or through the support functionality in our product.
CTC is committed to working with our clients and data protection authorities to resolve any concern you might have in this regard. And please remember that data protection is an ongoing process so, even if we will duly notify you of any changes that have an impact on you as a Data Subject, please don’t be a stranger to this site.