1. Privacy policy objective and its application

Kevin EU, UAB (hereinafter referred to as the “Company” or “we”) values your trust and is committed to ensure proper protection of your personal data. We respect your privacy and pledge to process and protect your personal data in a fair and lawful way in accordance with the applicable legal requirements of the European Union (General Data Protection Regulation 2016/679) (hereinafter referred to as the “GDPR”) and the Republic of Lithuania. The definitions used in this Privacy policy have the same meaning as stipulated in the GDPR.

In this Privacy policy we describe what personal data we collect and process about people who use our payment initiation, account information services, clients and their representatives, people that consented to receive direct marketing messages, job applicants for the vacant job position. We may process your personal data for purposes other than those described in this Privacy policy. If this is the case, we will provide you with a separate privacy statement informing you about such processing.

Please note that additional information might be provided in Terms and Conditions, contracts, and other documents provided by us.

2. Contact information

You can contact the Company via e-mail info@kevin.eu or mail Lvivo str. 25-104, LT-09320 Vilnius, the Republic of Lithuania.

If you would like to find out how we process your personal data or if you wish to exercise any of your rights as a data subject, please contact our Data protection officer via e-mail privacy@kevin.eu.

3. The types of personal data we collect and how we get them

We collect and process the following categories of personal data:

• Personal identifiers, contacts, and other characteristics (for example, name, surname, personal identification number, date of birth, personal identity document data, address, telephone number, e-mail address, data on your country of residence and/or citizenship, selected communication language).
• Financial data (for example, data about a bank account, such as bank account number, balance, bank name, currency code, unique account ID; transaction information, such as date (booking and value dates), amount, currency code, bank, payer/payee name, payment description, unique transaction ID).
• Data related to the customer's reliability and performance evaluation (e. g. data on financial transactions; data that is necessary for the Company to apply the necessary measures in the field of prevention of money laundering and terrorist financing and to ensure the implementation of international sanctions).
• Data received and/or created in compliance with the requirements of applicable legislation (for example, data that the Company must provide to public authorities, such as tax administrators, courts, other supervisory or enforcement authorities).
• Data collected using communication and other technical means (e. g. data that is provided in your messages, e-mails; data collected using our Services; data about the device(s) you use).
• Data on behavioural habits, priorities, and satisfaction with the Services (for example, data on your activity using the Services, your feedback on the Services).
• Data on relationships with legal entities - data that is provided by our clients or obtained from public registers or third-party service providers when concluding and performing contracts on behalf of a legal entity.
• Special categories of personal data (for example, data on whether the client is a politically exposed person). In certain cases, in compliance with the requirements of legal acts, the Company must process special categories of personal data, for example, data on politically exposed persons is processed for the purpose of preventing money laundering and terrorist financing. The processing of special categories of personal data may also be based on the need to assert or exercise legal claims.

We collect personal data about you directly from you to initiate payment for goods or services, to receive information about bank accounts, when you enter into contract with us or while representing another person, when you send your CV, as well as other information related to your recruitment, when you submit requests, etc. Personal data can be also created by you using our payment initiation and/or account information services (hereinafter referred to as the “Services”) or communicating with us by e-mail or using other means of communications. We may also collect information about you indirectly from third parties (such as your bank or merchant who you buy goods or services from), where you have given your explicit consent for your information to be transferred to the Company to initiate payment and/or receive bank account information. Your personal data also might be obtained indirectly from other organisations (such as LinkedIn) where you have explicitly consented to your information to be transferred, specific register and information systems, also such sources as State Social Insurance Fund Board, etc.

4. How we use your personal data and why we have it

We process your personal data for the following purposes and based on the following legal bases:

(a) Your consent. In certain cases, we may ask for your consent to process your personal data. Such a request will include information about the personal data processing activities for which your consent is requested. For example, we may ask your consent for processing of your personal data for the purposes of: direct marketing; recruiting for the vacant job position in our Company; administering our social media accounts; organizing of events (workshops, seminars, etc.); or handling your inquiries. You can withdraw your consent at any time by contacting our Data protection officer via e-mail indicated in section 2 of this Privacy policy.

(b) We have a contractual obligation. The main purpose of personal data processing carried out by us is to conclude, perform and administer contracts with our clients. This may include the processing of personal data for the purposes of: taking actions at the client's request before concluding a contract, concluding, performing or terminating a contract with the client; providing Services; handling inquiries, requests, claims submitted by the clients (their representatives).

(c) We have a legal obligation. In some cases, we must process personal data to ensure the fulfilment of the legal obligations applicable to the Company in accordance with the applicable legislation. This may include the processing of personal data for the purposes of: selecting candidates for manager positions; handling claims submitted by the clients (their representatives); checking and verifying identity of clients (their representatives); preventing, detecting, investigating and reporting potential money laundering or terrorist financing activities; fulfilling requirements of legal acts regulating the provision of Services; carrying out internal investigations and operational risk events; fulfilling other legal requirements in accordance with applicable legislation in areas such as prevention of money laundering or terrorist financing, enforcement of sanctions, payment services, accounting, taxation, personal data protection, governance and management of the Company and implementation of shareholder rights.

(d) We have a legitimate interest. Such processing of personal data is necessary due to the Company's legitimate interests, which are balanced against the client’s (as a data subject’s) interests and rights. We may process your personal data on the basis of our legitimate interest, for example, for the purposes of: recruiting for the vacant job position in our Company; processing personal data of payment participants’ for the purpose of provision of payment initiation service and/or account information service to the client; processing personal data of contractor’s representatives when taking actions at the contractor's request before concluding a contract, concluding, performing or terminating a contract; preventing and investigating unauthorised use of the Company's services or disruption of the services, including implementing the necessary security measures; preventing fraud; asserting, enforcing, defending or transferring of legal claims and storing of information for this purpose; assessing the possibility to transfer Company's business or part of business, or get funding for Company's activities; archiving of Company’s files; conducting clients onboarding and performance management, Company’s products/services incident management for the purpose of maintaining, examining, developing and improving Company's activities, products, services; monitoring of the Company's performance indicators and financial planning.

5. With whom we may share your personal data

We may share your personal information to ensure the provision of our services or in other cases, where necessary, with third parties (referred to as the “Data recipients”). We do not disclose personal data more than is necessary for the specific purpose of personal data processing.

Data recipients may process personal data acting as controllers and/or processors. If the Data recipient processes your personal data as a controller, it is responsible for informing data subjects about the ongoing personal data processing. In such cases, you should contact this Data recipient regarding the processing of your personal data by such Data recipient.

We may disclose your personal data to the following Data recipients:

• State institutions and other persons performing the functions assigned to them by law (for example, supervisory authorities, tax administration, law enforcement authorities, bailiffs, notaries, courts, non-judicial dispute resolution institutions).
• Other financial institutions when we have a legal obligation to provide access to your personal data to such a financial service provider (e. g. your bank).
• Payment participants and/or parties involved in national and European payments (e. g. merchant who you buy goods or services from).
• Third parties, which manage databases and registers (e. g. registers of Population, of Legal Entities, etc.) or mediate the provision of personal data from such databases and registers.
• Persons and companies who consult us on financial and legal issues, perform audits of the Company or provide us with other services.
• Other persons related to the provision of Company’s services, such as providers of IT, cloud computing, hosting, telecommunications services, archiving, postal services.
• Persons and companies who participate in the process of assessing the possibility to transfer Company's business or part of business, or get funding for Company's activities (for example, potential buyers/investors, auditors, attorneys).

If we ourselves or using service providers transfer your personal data to the non-EU/EEA countries, we comply with the relevant requirements of the GDPR (Art. 44 et seq.) and oblige our service providers to comply with these regulations too. Therefore, we will transfer your data to the non-EU/EEA countries only by ensuring the level of security provided by the GDPR. This level of security is primarily ensured by the EU Commission's adequacy decision. If with regard to a particular country there is no adequacy decision of the EU Commission, we will ensure that your rights and freedoms are properly protected by concluding relevant data transfer agreements containing the EU Standard Contractual Clauses or other authorised data protection clauses. In other cases, we may transfer data based on your express consent. You can withdraw your consent at any time by contacting our Data protection officer via e-mail indicated in section 2 of this Privacy policy.

Personal data can be transferred to non-EU/EEA countries if, for example, it:

• is necessary for the performance of a contract to which you are a party or for the fulfillment of your requests;
• takes place as part of the performance of the contract when service providers are involved;
• is necessary to safeguard our legitimate interests;
• is required by law or you have given your consent.

If we transfer personal data to the recipient, which is unable to ensure an adequate level of data protection, based on your consent alone, we point out that the following risks arise: it is possible that the adequate protection of your personal data is not sufficiently regulated, there is no data protection supervisory authority; there is no control over the further processing of personal data (including transfer to third parties); the implementation of your data protection rights can be impeded or disregarded.

More information about the transfer of personal data outside the EU/EEA is available upon request using the contact details indicated in section 2 of this Privacy policy.

6. How we store your personal information

Your information is securely stored. While processing your personal data, we implement organisational and technical measures which ensure the protection of personal data from an accidental or unlawful destruction, alteration, disclosure and any other unlawful processing. These measures may include, among other, encryption, physical access security, auditing and other appropriate technologies.

The period of retention of personal data is determined taking into account the specific purposes, for which the personal data were collected, or the period determined by the applicable legislation. Personal data collected in connection with the provision of Services, we process for as long as you use our Services and retain for a period of 10 years after you cease using our Services, except in cases where the applicable legislation or the internal legal acts of the Company determine different retention periods.

7. What are your rights

This section contains information about your rights related to the processing of your personal data carried out by us and cases where you can exercise these rights. If you would like to receive more information on your rights or to exercise them, please contact us via e-mail indicated in section 2 of this Privacy policy.

We will provide information on actions taken on a request regarding implementation of your rights without undue delay and in any event within 1 (one) month of receipt of the request. In consideration of the request complexity and the number of received requests, the aforementioned term may be extended for 2 (two) further months. In this case, we will notify you of such term extension and reasons for it within 1 (one) month as of the receipt of request. We will refuse to implement your rights only in cases provided for in the legal acts.

Your rights are as follow:

The right to be informed: as a personal data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this Privacy policy.

The right of access: we want you to fully understand how we use your personal data and not to experience any inconvenience because of that. You can contact us at any time and ask if we process any of your personal data. If we store or use your personal data in any way, you have the right to access them.

We will provide access to the personal data we hold about you as well as the following information: the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data has been disclosed, the retention period or envisioned retention period for that personal data, when personal data has been collected from a third party, the source of the personal data.

The right to rectification: when you think we process inaccurate or incomplete personal information about you, you may exercise your right to correct or complete certain personal data. This may be used with the right to restrict processing to make sure that incorrect/incomplete personal data is not processed until it is corrected.

The right to restrict processing: you have the right to ask us to restrict the processing of your personal data or to object to their processing:

• During the period required for us to verify the accuracy of your personal data when you submit claims with regard to data accuracy;
• In cases of unlawful collection, storage, or use of your personal data where you decide not to request data;
• When we do not need your personal data anymore, but you need them for the establishment, exercise, or defence of legal claims;
• During the period required to determine if we have an overriding legal basis to continue processing your personal data if you exercise your right to object to the processing of your personal data.

The right to erasure (the right „to be forgotten“): where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. This includes personal data that may have been unlawfully processed. We will take all reasonable steps to ensure personal data erasure.

The right to data portability: you have the right to the portability of data obtained by us under your consent or for the purpose of agreement conclusion. If you exercise this right, we will transfer a copy of the data provided by you.

The right to object: you have the right to object to the use of your personal data by us:

• In cases where we use such data to implement our legitimate interests, but we do not have an overriding legal basis to continue using your personal data; or
• At any time when we use your personal data to send newsletters or for direct marketing purposes. In such a case, the data will not be used for these purposes anymore; however, they may be used for other legitimate purposes.

If you believe that your rights of the data subject have been and/or may be violated, please promptly contact our Data protection officer via e-mail indicated in section 2 of this Privacy policy. We ensure that as soon as we receive your complaint, we will contact you within a reasonable period and inform you about the complaint handling process, and then about its result.

If the handling results are unsatisfactory to you, you will be able to submit a claim to the supervisory authority – the State Data Protection Inspectorate (www.vdai.lrv.lt).

Detailed information about the implementation of the data subject’s rights is provided in the Company's Procedure for the implementation of rights of the data subjects.

8. Provision of payment initiation service

We provide payment initiation services in accordance with the rules established in the Payment Law of the Republic of Lithuania and the principles of good practice of Payment initiation prepared by the Bank of Lithuania. We will process the personal data received for this purpose, only in order to provide the payment initiation services.

We may use your personal data to initiate payment for goods or services you seek to acquire.

We will only collect the personal data in order to initiate payment that you seek to initiate. If you do not submit such a request (give your explicit consent), we will not be able to initiate the payment. We will not collect any data from you or other sources that is not necessary to render the payment initiation services.

We will only process your personal data after you agreed that the merchant or the service provider will transfer your personal data to us. If you do not give a consent to the merchant or the service provider to transfer your personal data to us, we will not be able to initiate payment.

We need to process your personal data in order to initiate payment services, to identify you, to initiate the payment, to authentify the payment as well as to confirm the payments.

Depending on the payment initiation service model chosen by our client (merchant or service provider), we may collect the following personal data: order number provided by merchant or service provider, transaction details (order amount, description (purpose), status), bank account number, bank account name, unique authentication keys (tokens) created by the bank and the Company that are linked to your bank account number.

In certain cases, we may collect your bank login number, personal identification number, telephone number, one-time authentication security code.

In certain cases when you choose to pay for the goods or services using your credit or debit card, the Company may also collect and process your credit or debit card’s information (credit or debit card number, owner (name and surname), expiry date and card verification value).

The amount of personal data we collect and process in each case depends on the requirements of your bank and payment initiation service model chosen by the merchant or service provider.

After a particular payment is executed, the merchant who you acquired goods or services from and you will be informed about the payment status. We will inform you about the payment status via e-mail.

The legal basis for processing your personal data is the performance of a contract between you and the Company and the compliance with a legal obligation to which the Company is subject.

In certain cases when you seek to initiate payment to another natural person, we will process the following personal data of the payee: bank account number, transaction details (currency, description (purpose), status). In such a case the legal basis for the processing of personal data of the payee is the legitimate interest of the Company.

We will process personal data for as long as we need it to fulfil the purpose the data was collected for. Personal data collected for the purpose of provision of payment initiation service will not be stored for a longer period than 3 years after the payment initiation.

We review our data retention periods regularly and we are legally obliged to retain some personal information as part of our statutory requirements.

If after your payment has been initiated you choose “Remember me”, we will remember your personal data (your bank and account number) to provide you with the possibility to pay faster next time. The legal basis for processing your personal data, when choosing “Remember me”, is your consent.

The consent will be saved for 90 days. You will be prompted again after this term expiration.

You may withdraw your consent at any time by unticking the “Remember me” box the next time you use our payment initiation services or by contacting us via e-mail indicated in section 2 of this Privacy policy.

“Remember me” functionality enables you to make future payment initiation in a more convenient way, but for the reason that this functionality remembers your bank, login information and account number on the device you have used, this payment initiation approach should only be used on your private devices. Due to this reason, you should not use “Remember me” functionality on shared devices. In case you have lost your device, get in touch with your bank straight away.

9. Provision of account information service

We provide account information services in accordance with the rules established in the Payment Law of the Republic of Lithuania. We will process the personal data received for this purpose, only in order to provide account information services.

We may use your personal data in order to provide you with the consolidated information about your bank accounts. We will only process your personal data when you actively ask us to provide you with the consolidated information about your bank accounts. Without such a request, we will not be able to provide you account information services.

In order to provide consolidated information about your bank accounts, we collect the following personal data : your bank login ID, personal identification number, telephone number, one-time authentication security code, bank account number, bank account name, used bank accounts amount, unique authentication keys (tokens) created by the bank and the Company that are linked to your bank account number, bank account balance, bank account transaction history.

The legal basis for processing your personal data is the performance of a contract between you and the Company.

Consolidated bank account information can be transferred to third parties in order to assess your credit evaluation or for other legitimate purposes only upon your consent.

We will process personal data for as long as we need it to fulfil the purpose the data was collected for. Personal data collected for the purpose of provision of account information service will not be stored for a longer period than 3 years after account information is provided.

10. Implementation of the „Know your client“ principle and prevention of money laundering and terrorist financing

We may process personal data in compliance with legal requirements related to implementation of the „Know your client“ principle and prevention of possible money laundering and terrorist financing, prevention of fraud, detection, investigation and informing of such activity.

For this purpose, we may process the personal data of our client’s, their representatives, directors and shareholders and / or other persons.

We may process the following personal data: name, surname, a unique sequence of symbols intended to identify the person, date of birth (if a person is not a citizen of Republic of Lithuania), the number and period of validity of the residence permit in the Republic of Lithuania and the place and date of its issuance (if a person is not a citizen of Republic of Lithuania), address, citizenship, the country of issuance of the identification document (in cases of a stateless person), workplace (in cases of client’s director), image, personal identification document details, equity of the legal entity’s shares/voting rights/control (in cases of shareholder and beneficiary), signature, other data required by the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania or other legal acts.

Following the legal requirements related to the implementation of „Know your client“ principle and prevention of possible money laundering and terrorist financing, prevention of fraud, detection, investigation and informing of such activity, we may process your image (in the form of a photograph or live image) (biometric data) for identification purposes. Your image and personal identification document are combined in order to check if you are the owner of the presented personal identification document.

The Company may also process personal data of people who certify copies of documents or delegation. We may process the following personal data: name, surname, workplace, signature, other data required by the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania or other legal acts.

Personal data are collected and processed on the basis of the legal obligation imposed on the payment initiation service provider, i. e. us. Your biometric data (your image) shall be processed on the basis of your consent (when image is processed for identification purposes). If you do not consent to the processing of your biometric data, please contact us for another method of identifying your identity.

We will process personal data for as long as we need it to fulfil the purpose the data was collected for and following the legal requirements. Personal data will be stored for 8 years after the termination of the business relationship with the client. The data retention period may be extended for a period not exceeding 2 years, provided there is a reasoned request from a State Authority. Such data retention period is required by the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania.

11. Processing personal data for recruiting purposes

You can send us your data in order to join our Company. Your personal data you present for the purpose of recruiting for the vacant job position in our Company will be processed based on your consent, expressed by submitting your personal data.

We collect and process your CVs and/or motivation letters, and/or other information submitted by you at the time of participation in the selection for the purpose of recruitment and on the basis of your consent which you give to us or to the recruitment company by sending your curriculum vitae.

If you do not submit your curriculum vitae and/or motivation letter, we will not be able to assess your suitability for the offered position.

Please note that in order to properly evaluate the candidate’s suitability for the job (in implementing the Company’s legitimate interest), where applicable, we may ask you to provide a link to your personal Linkedin account and/or process other publicly available information related to the requirements for the position for which you are applying.

Please comply with personal information protection requirements and do not send us excessive information. Please observe at least the following minimum requirements for the protection of your personal information by sending personal data to us: do not indicate excessive or unnecessary personal data either in the subject line of the letter or query, or in the attached CV, in motivational letters, in other files: personal identification code, health or other special personal data, financial data, bank account number, family member data, car licence plate number, etc.

Please note that in individual cases, in order to fulfil legal obligation, we may process your conviction data, information about marital status, financial obligations, family members and relatives. In this case, your personal data will be processed on the basis of the legal obligation imposed on the Company.

All personal data will be stored until the ongoing recruitment process is finished. Please note that on the basis of your consent we could store and use personal data for up to 1 year. Once you have given such a consent, you are entitled to withdraw it at any time by contacting our Data protection officer via e-mail indicated in section 2 of this Privacy policy, without prejudice to lawfulness of personal data processing based on such consent until the withdrawal of the consent.

Please note that in order to evaluate your candidacy, we may contact the former employers you have indicated for their recommendations and may ask them about your qualifications, professional skills and business qualities. We can request such information from your current employer only if we have your separate consent for this.

12. Direct marketing

In cases you provided your contact information and expressed explicit consent to receive marketing information from us, the Company may contact you via e-mail providing you with the information about the Company’s services or submit other promotional material. We may send out commercial offers, newsletters and other advertising material.

We may process the following personal data for direct marketing purposes: name, surname, e-mail address, other information that a person may provide, date of consent.

Your data will be used for direct marketing purposes for 3 years as of the receipt of your consent or after provision of services to you.

You have the right to refuse direct marketing at any time by contacting our Data protection officer via e-mail indicated in section 2 of this Privacy policy.

13. Cookies

We use cookies on our website. The list of cookies used is provided in the Company's Cookie policy, which is available here.

14. Privacy policy review

We may update or amend this Privacy policy at any time. Such an updated or amended Privacy policy will come into effect as of its publication. You should check it from time to time and make sure that you find the current version of the Privacy policy acceptable.

The latest update to the Privacy policy was made on 8 November 2023.