Privacy policy

I. CONSENT

By using our website(s) at www.hive5.co (hereinafter referred to as the Website), by registering as a user on the Website (hereinafter referred to as the User), entering into the and/or by providing us with personal information, for the purposes of Website usage only, you consent to the terms of this privacy policy (hereinafter referred to as the Privacy Policy) and understand that we process it on the basis of our legitimate business interests or performance of agreements, such as our User Agreements and Investment Agreements. If you do not agree with any of the terms of this Privacy Policy, please do not use our Website or submit any personal information to us. User hereby also confirms that all its personal information submitted to HIVE5 is valid and accurate.

HIVE5 may, separately and in addition to the present Privacy Policy, collect the User’s consent to personal data processing that was not previously covered by the present Privacy Policy, including to processing for new purposes, to ensure that all processing is lawful, and the User can exercise their rights under the applicable data protection laws.

If the User provides to HIVE5 personal data of third parties, the User confirms that those third parties have agreed to HIVE5 processing their personal data in line with the present Privacy Policy. The User agrees that the right of HIVE5 to process personal data is in force for the duration of the any User or other Agreement.

If you have additional questions or require more information about our Privacy Policy, do not hesitate to contact us.

II. WHO WE ARE

Hive5 marketplace d.o.o. is a company incorporated in the Republic of Croatia, registration number: 081441259, registered address: Ulica Račkoga 8, Zagreb, Croatia, e-mail address: support@hive5.co, (hereinafter referred to as HIVE5). Hive5 marketplace d.o.o. operates an online digital p2p lending platform through Website www.hive5.co.

III. PURPOSE

This Privacy Policy outlines the privacy practices of HIVE5. This Privacy Policy explains when and why we collect personal information. It explains how we use this information, when we share it with others, and how we help keep it secure.

HIVE5 is data controller as defined in the regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the GDPR). HIVE5 is entitled to process and to contract a processor to process on behalf of HIVE5 the personal data of the User. The User is “data subject” as defined in the GDPR. The HIVE5 purpose for processing the User’s data is as follows:

• Providing a high-quality service;

• Holding up to date records of all activity concerning the business activity of HIVE5;

• Managing business risks including but not limited to credit risk, liquidity risk, fraud risk;

• Informing Users about their account activity or crucial changes in the HIVE5 services (other than direct marketing activities) that may affect the User;

• Meeting the requirements of day-to-day business needs;

• Developing new and improving the existing services to be relevant for its existing Users and to grow its User base;

• Protecting itself and its Users from illegal or harming events such as fraud and money laundering;

• Making available an optimal pricing offer to its Users;

• Fulfilment of the Agreement between HIVE5 and the Users for provision of services under the applicable laws and regulations;

• Fulfilment of the legal obligations of HIVE5;

• The legitimate interests of HIVE5 insofar as they do not contradict the User’s rights or interests;

IV. THE INFORMATION WE COLLECT

The types of personal information HIVE5 may collect includes:

• Registration Information. During registration, the User fills out the registration form with their initial identity and contact information and sends it to HIVE5 electronically. HIVE5 also collects User’s electronic device information at that time.

• Entering the Website account as a User. When a person enters the Website account as the registered User, we may obtain personal data to identify the User from other visitors of the Website.

• Using the Website as a User. HIVE5 collects information about the User while using the User is using the Website, for example, to verify the User’s identity, correct contact details, manage payment instruments, process payments and similar.

• Customer surveys. When the User participates in a customer survey organized by HIVE5, HIVE5 will store personal information if applicable.

• User registration on the Website. During registration, the User fills out the registration form with their initial identity and contact information and sends it to HIVE5 electronically. HIVE5 also collects User’s electronic device information at that time.

• Website visits. When User visits the Website, information about the visitor’s activity is collected automatically with the help of cookies or equivalent technologies. Information such as browser’s identifier, the Website’s visiting frequency, average time spent on the Website and viewed pages is collected. Such information is collected with the purpose to evaluate the attractiveness of our Website and to improve its content and functionality.

• Cookies. Cookies are informational files, which join a computer or a mobile device when they are used for visiting or entering the Website account. The User may switch off cookies in its browser’s settings. However, if cookies are switched off, some services of the Website might become unavailable that require cookies to function correctly. The User may find additional information on how to manage or delete cookies at http://www.allaboutcookies.org/.

• Communication with HIVE5. HIVE5 collects information from the User when and from what the User communicates to HIVE5 via email, phone call, Live Chat, Website and other means. Similarly, HIVE5 processes personal information when contacting the User.

V. HOW WE USE PERSONAL INFORMATION

Below is a categorization of personal data that HIVE5 processes in relation to its Users and the data processing requirement that applies to each personal data category or may apply depending on the processing case at hand.

Information Class	How We Use it	Legal Basis (personal data are processed with your consent except as otherwise permitted or required by law)
Identifying and contact information	Full name Date of birth Address Phone number e-mail address Login details including the username, password and 2-factor authentication use	Legal requirement Requirement to enter into contract Contractual requirement
Identity verification	Identity document copy Document type Document number Document issue date Document expiry date Document issuing institution Document issuing country Birthplace Citizenship and residence Government issued personal ID number	Legal requirement Contractual requirement
Transactional and financial data	Bank account number Financial activity information Financial activity proof documents Transactional activity in the Website	Legal requirement Contractual requirement
Electronic device and location data	IP address Forward IP address Device agent / browser details Access time of the Website. Length of visits of the Website. The internet browser type, version, time zone setting, operating system and platform. Full Uniform Resource (URL) clickstream.	Legal requirement Contractual requirement
Employment	Employer Employment position	Legal requirement Contractual requirement
Special categories of personal data	Gender	Legal requirement Requirement to enter into contract Contractual requirement
Legal offences	Criminal and administrative offences	Legal requirement Legitimate interest
Credit standing	Credit health and score Past and present liabilities	Legitimate interest
Information on family members and close relationships	Full name Nationality Country Employment details	Legal requirement Contractual requirement
Information openly available on the Internet	User’s posts and comments about HIVE5 online including social networks	Legitimate interest
Information in public records	Information about the User such as employment, business, government registry entries	Legal requirement Contractual requirement
Communication and interaction	Information provided by the User on a voluntary basis or as required by HIVE5 such as during communication between the User and HIVE5	Legal requirement Contractual requirement
Other information	Other information that may be required to be collected in order to fulfil the legal or Contractual obligations of HIVE5	Legal requirement Contractual requirement

Below is a list of the causes that HIVE5 identifies as mandatory for processing the personal data of its Users. All of the causes for processing are expressed by HIVE5 though examples as presented:

Reason	Sample cases	Legal basis
Offering, providing and maintaining HIVE5 services to each individual User	Accepting new Users Providing continued service to existing Users Processing payments on behalf of Users Identifying different Users and different User portfolios Matching claims with Users	Contractual obligation Legal obligation Legitimate interest
Realization and protection of the rights of HIVE5 arising from the Agreement	Business intelligence analysis Contacting Users in relation to the services Managing service availability to Users	Contractual obligation Legal obligation Legitimate interest
Realization and protection of the rights of the User arising from the Agreement	Contacting Users in relation to the services Keeping User records on their financial activity on the platform for correct payment processing Storing and protecting User information held by HIVE5	Contractual obligation Legal obligation Legitimate interest
Fulfilling the legal obligations of HIVE5	Identifying individual Users and verifying their data under the applicable Anti-Money Laundering legislation Consolidating financial information for compliance with accounting requirements Executing the obligations under the Agreement and Assignment Agreements	Contractual obligation Legal obligation Legitimate interest
Financial and statistical analysis	Evaluating the financial health and risks of HIVE5 services Assessing the customer base of HIVE5 Assessing the activity type and level of Users	Contractual obligation Legal obligation Legitimate interest
Keeping User records	Maintaining an audit trail of all User applications Recording changes to User account information Distinguishing between action taken by the User versus action taken by HIVE5	Contractual obligation Legal obligation Legitimate interest
Identifying and verifying User identity	Collecting and verifying User identity documents Collecting User expected financial activity on the HIVE5 platform Asking additional due diligence questions in accordance with the applicable Anti-Money Laundering legislation	Contractual obligation Legal obligation Legitimate interest
Managing risks and security	Monitoring User activity levels Monitoring User account access for security and audit trail purposes	Contractual obligation Legal obligation Legitimate interest
Maintaining the platform and the website	Adopting the manner of User data processing to the service features as well as User needs	Contractual obligation Legal obligation Legitimate interest
Developing and improving the product and the services, including for quality control	Collecting User feedback and monitoring User activity levels and preferences	Contractual obligation Legal obligation Legitimate interest
Marketing	Communicating to Users about new or suitable products and features of HIVE5	Consent Contractual obligation Legal obligation Legitimate interest

VI. LEGAL BASIS FOR PROCESSING

HIVE5 process your personal information with your consent except where otherwise permitted or required by law. We may also process your personal information on one or more of the following legal bases (as identified in section V (How we use personal information) above):

Contract. The processing is necessary for our performance of the contract you have agreed to enter with us. If you do not provide your personal information to us, we will not be able to carry out our obligations under the terms of your contract.

Legal Obligation. The processing of your personal information is necessary for the purposes of complying with applicable regulatory, accounting, and financial rules and obligations and to make mandatory disclosures to government bodies and law enforcement.

Legitimate Interests. We are permitted to process your personal information if it is based on our “legitimate interests”, where we have good, sensible, practical reasons for processing your personal information, which is in the interests of Vinted and doesn’t outweigh your rights as data subjects. To do so, we have considered the impact on your interests and rights and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. In jurisdictions where “legitimate interests” are not a basis on which personal information may be processed, by providing us with personal information for an identified purpose, you consent to our processing it for that purpose. Where personal information is processed based on legitimate interests, e.g. for the purposes of direct marketing, you have the right to object to such processing at any time and free of charge. See the section entitled “Your Legal Rights” to find out how. If you object to us processing your personal information, we must demonstrate compelling grounds for continuing to do so.

Consent. For the purposes of Canadian law, your consent may be express or implied. Sometimes we want to use your personal information in a way that is entirely optional for you, such as to send you our promotions and news. On these occasions, you do not have to provide your consent. You can withdraw this consent at any time, subject to legal and contractual restrictions.

VII. COOKIES AND OTHER TRACKING TECHNOLOGIES

The HIVE5 uses cookies and other technologies to collect information when you visit our Website. We use these technologies to collect information such as your device and browser type, the date and time of your use sessions, your IP address, what you search for, your operating system, and your browsing on the Website. We use this information to improve our Website and services, including to analyze Websites usage to improve user-friendliness and to track down and prevent fraud and security issues. If you are suspended from the Website, we may use your IP address to enforce the suspension.

For more information about the Website’s cookies, tracking, and how we use tracking technologies on our website, please visit our Cookie Policy.

VIII. RETENTION PERIODS

We retain personal information that we collect as long as necessary to fulfill the purposes for which it was collected or to meet any legal requirements, including applicable limitation periods. We have retention standards which meet these requirements:

• Personal data relating to the legal obligations of HIVE5 under the AML Law of the Republic of Croatia (including but not limited identity data, identity and account activity verifying documents, communication) shall be stored for 10 years after termination of the Agreement.

• Information on the Agreements are stored for 11 years in accordance with the Accounting Act of the Republic of Croatia after termination of the Agreement.

• Personal data shall also be retained based on our Legitimate interest for 10 years after termination of the Agreement.

• Personal data may be retained in accordance with other legal obligations of HIVE5 and in accordance with the respective time frames set therein.

IX. THIRD PARTIES

HIVE5 may transfer User’s personal data to and receive it from third parties for the purpose of providing its services.

Third parties that HIVE5 may receive User’s personal data from:

• Third parties taking legal actions in connection with debt collection from the User (for instance, debt collectors, lawyers, court bailiffs, insolvency administrators and other persons acting in accordance with the applicable laws).

• Legal, accounting and auditing service providers to HIVE5.

• Government authorities and institutions, regulators, law enforcement bodies.

• Government information systems such as population registers, state social insurance agencies and etc. in accordance with the applicable legislation.

• Any person related to the fulfilment of HIVE5’s commitments arising from the Agreement (including, but not limited, to communications service providers, IT service providers, payment intermediaries, credit institutions etc.).

• Outsourced service providers that HIVE5 requires for the provision of its services, insofar as such personal data collection is necessary for the performance of functions delegated to them (including but not limited to identity verification services, fraud prevention services, money laundering prevention services).

• Third parties that the User asks or consents to disclose its personal data to.

• The User’s legal representative, Credit information bureaus, Social networks, other public information sources.

Third parties that HIVE5 may disclose the User’s personal data to:

• To affiliates, companies and enterprises related to HIVE5 or which directly or indirectly have obtained a significant share in the share capital of HIVE5, or in which HIVE5 has obtained direct or indirect participation, insofar as such information is necessary for the performance of functions delegated to them or for the provision of services by HIVE5 to its USERS and performance of the Agreement signed between HIVE5 and User.

• Any person related to the fulfilment of HIVE5’s commitments arising from the Agreement (including, but not limited, to communications service providers, IT service providers, payment intermediaries, credit institutions, audit services etc.), ensuring the recipient`s commitment to protect and not to disclose personal data received.

• Outsourced service providers that HIVE5 requires for the provision of its services, insofar as such personal data disclosure is necessary for the performance of functions delegated to them (including but not limited to identity verification services, fraud prevention services, money laundering prevention services), ensuring the recipient`s commitment to protect and not to disclose personal data received.

• Transferee of a claim, ensuring the recipient`s commitment to protect and not to disclose personal data received.

• Third parties taking legal actions in connection with debt collection from the User (for instance, debt collectors, lawyers, court bailiffs, insolvency administrators and other persons acting in accordance with the applicable laws), ensuring the recipient`s commitment to protect and not to disclose personal data received.

• Legal, accounting and auditing service providers to HIVE5, ensuring the recipient`s commitment to protect and not to disclose personal data received.

• Government authorities and institutions, regulators, law enforcement bodies.

• Government information systems such as population registers, state social insurance agencies etc. in accordance with the applicable legislation.

• credit information bureaus.

• Third parties that the User asks or consents to disclose its personal data to.

• The User’s legal representative.

• Third parties that refer the Users to HIVE5.

• Third parties to which that HIVE5 refers its Users.

In all instances when HIVE5 discloses personal data of its Users to third parties HIVE5 ensures legal protection of the personal data, including where applicable signing of a written non- disclosure agreement with the recipient, and the recipient’s commitment to protect and not to disclose personal data received.

X. TRANSFER PERSONAL INFORMATION TO OTHER THIRD COUNTRIES

If HIVE5 needs to transfer the personal data of its Users to a third country (i.e. a country outside the European Union), HIVE5 will do this under one of the following conditions: (i) the destination country has been recognised by the European Commission as ensuring adequate level of personal data protection (Adequacy decision) or (ii) Other appropriate safeguards exist for the data transfer (including but not limited to binding corporate rules, standard data protection clauses in the cooperation agreement or an approved code of conduct, in accordance with Article 46 of GDPR).

XI. LEGAL RIGHTS

You have rights under data protection laws in relation to your personal information.

• Access your personal information

the User has the right to request HIVE5 access to the personal data that HIVE5 is processing about the User and certain information related to its processing (in accordance with Article 15 of GDPR).

HIVE5 will take appropriate measures to provide the requested information without undue delay and in any event within one month of receipt of the User’s request. That period may be extended by 2 (two) further months where necessary, taking into account the complexity of the task. HIVE5 will inform the User of any such extension within one month of receipt of the request, together with the reasons for the delay.

HIVE5 reserves the right to verify the requesting User’s identity before executing the User’s request in order to meet its legal obligation to protect User personal data from unauthorized disclosure.

Where the User makes the request by electronic means, the information will be provided by electronic means where possible, unless otherwise requested by the User. A copy of the personal data undergoing processing will be provided free of charge. HIVE5 may charge a reasonable fee for any further copy requests taking into account the administrative costs of providing that information.

Where requests from the User are manifestly unfounded or excessive, in particular because of their repetitive character, HIVE5 may either: (i) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or (ii) refuse to act on the request.

Where the User’s personal data has been transferred to a third country, the User may ask for information on the safeguards that were applied to that data transfer and where these safeguards can be viewed.

• Request correction

The User may request for correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

• Right to erasure

The User may request erasure of personal information that in User’s opinion is not needed to be processed under an active Agreement (in accordance with Article 17 of GDPR). This enables you to ask us to delete or remove personal information where there is no sufficient reason for us continuing to process it. You may also ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your personal information to comply with local law. HIVE5 may still continue processing the personal data due to legal or contractual requirements or to exercise its legal rights. HIVE5 shall notify the User if the request for erasure makes HIVE5 unable to continue providing service to the User.

• Right to objection of processing

The User may request HIVE5 to stop processing of his personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms and on occasions when: (i) The personal data may be inaccurate, (ii) the personal data has been unlawfully processed but the User wants to keep the data on record and limit its processing, (iii) the personal data is no longer needed for the original purposes of processing but the User needs the data for legal claims or (iv) the User objects to processing of personal data but HIVE5 is yet to conclude if there is no legal basis to continue processing it. On grounds relating to the User’s particular situation, the User may object to processing that is based on the legitimate interest of HIVE5, including to resulting profiling. HIVE5 shall stop processing such data unless there are compelling legitimate grounds to continue processing that override the User’s objection.

The User may object to processing for direct marketing purposes at any time. In that case, HIVE5 shall stop all such processing for said purpose.

• Right to data transfer

The User has the right to receive the personal data which it has provided to HIVE5 in a structured, commonly used and machine-readable format and have the right to transmit that data to another data controller without any hindrance from HIVE5, where: (i) the processing is based on Consent or an agreement; and (ii) the processing is carried out by automated means.

The User has the right to have the personal data transmitted directly from HIVE5 to another controller, where technically feasible. This does not apply to such information as, for example, material developed by HIVE5 from analyzing the original data.

• Right around mechanized and manual management

The User has the right to request human intervention where a mechanized decision is normally applied, to express its opinion on the mechanized decision and to contest the decision made automatically.

• Withdrawal of consent

The User has the right to withdraw consent at any time if we are relying on consent to process your personal information, in accordance with the applicable data protection legislation and subject to applicable exceptions. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

XII. SECURITY

Our security is intended to help protect against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and any other unlawful forms of processing.

We use technical, physical, and organizational measures to help protect against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and any other unlawful forms of processing. Personal information may be accessed by persons within our organization or our third-party service providers or third parties (such as law enforcement) who require such access to carry out the purposes indicated above, or who are otherwise permitted or required by applicable law.

XIII. COMMUNICATION

HIVE5 is entitled to call and to send text messages (SMS) to the telephone number indicated by the User, to send letters via e-mail to the e-mail address indicated by the User, as well as dispatch mail to the User’s postal address indicated by the User. HIVE5 will communicate personal data breach that is likely to result in a high risk to the rights and freedoms of the User, in case such occurs to the User without undue delay.

XIV. MECHANIZED AND MANUAL MANAGEMENT

HIVE5 is entitled to make automated decisions regarding the provision of services and the consequential procedures applicable to the User based on information collected about the User. HIVE5 may apply profiling to its Users in the course of its day-to-day business activities. Automated decisions may be made:

• during the registration process of new Users;

• during the ongoing business relationship of Users. HIVE5 may determine the communication that is relevant for each User based on their interests.

Automated decisions assist HIVE5 in being effective, scalable and relevant, and they may affect the way HIVE5 service is rendered to the User – this includes but is not limited to:

• payment processing based on User account activity or HIVE5 operational requirements;

• fees based on HIVE5 business model or service availability;

• tailored communication based on User interests or account activity;

• the specific services available based on User interests or account activity;

• User account status based on HIVE5 automated check results.

XV. COMPANY CONTACT INFORMATION

If you have any questions regarding this Privacy Policy or any Personal Information you have submitted to us, or if you would like to:

• access Personal Information that you have already provided to us so that you can correct or update it or request that it be deleted;

• exercise another of your rights; or

• submit a complaint, or report any violation of this Privacy Policy,

Please advise us by contacting support@hive5.co. Also, Users has the right to communicate with the Data Protection Officer of HIVE5 on data protection issues by e-mail: support@hive5.co.

If the User (except Users in United Kingdom) and HIVE5 cannot resolve a complaint or any other related issue on data protection issues, the User may lodge a complaint with the data protection supervisory authority in the Republic of Croatia: Personal Data Protection Agency, registered office address at Selska cesta 136, Zagreb, 10 000, Croatia.