Version 3.1 - 27 March 2023
We are Lightyear Europe AS, a company registered in Estonia with company number 16235024.
Our registered office address is: Estonia, Tallinn, Volta 1, 10411.
If you have any questions about how we protect or use your data, please email us at firstname.lastname@example.org.
This policy details the personal information we collect and use, how we look after it, and the circumstances in which we may share it with someone else. It also sets out your rights around how we handle your information and lets you know how to contact us if you have any concerns.
Agreement - means Lightyear Europe AS Terms of Service and its Schedules, as amended from time to time and made available in the App and the Website
App - means our mobile or web application through which we will provide to you the Services
Data controller - means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Data processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller
Data processing - means activities which are performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
EEA - means the European Economic Area
GDPR - means the Regulation (EU) 2016/679, referred to as “the General Data Protection Regulation”
Lightyear, we, us, our - means Lightyear Europe AS, Estonian registry code: 16235024
Services - means the services that we provide to you under the Agreement
KYC - means “know-your-client”, a regulatory obligation to identify and verify the clients who use our services
personal data - means any information relating to an identified or identifiable physical person - an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the identity of that natural person
Website - means the website of Lightyear Europe AS, currently: https://lightyear.com/eu
3. What data we collect about you
When you sign up to use our Services, we need to process your personal data. On a high level, we use and process the following data:
- Personal details
- such as your full name, personal identification number (or an equivalent identifying code), date of birth, age;
- Contact information
- such as your email address, residence address and supporting documentation thereof (for example utility bills), phone number;
- Background information to fulfil our regulatory requirements
- such as bank account information (and information in the bank statements), IP address, tax residency and tax identification numbers, citizenship, employment information, source of wealth, information provided in the identification documents (date of issue, expiry date, picture, country of issuance, etc.);
- Data on how you use the Services – various statistics and information on your Service usage, for example how many times a month you use the Services and what features do you use and how;
- Data to facilitate the usage of Services – for example you login details and the password, payment information (your bank account number to make the deposits and withdrawals), browser type and version, time zone settings, operating system of your device to access the Services.
To learn how specifically we process your personal data, please find a detailed overview of personal data processing in the Annex 1 below. Please be aware that we may collect the information provided in the Annex 1 but depending on specifics, we do not always collect all of those data points in respect to each individual data subject.
4. Why do we use your data
It is necessary for us to process your data in order to provide the Services to you and to fulfil our legal requirements. If you decline to share with us the data we request, we are unable to provide the Services to you. We use your personal data in order to:
- carry out our obligations relating to your Agreement (Terms of Service) with us and to provide you with the information, products and Services, as well as facilitate social features connected to our Services;
- comply with any applicable legal and/or regulatory requirements;
- notify you about changes to our Services;
- keep our Services safe and secure;
- administer our Services and for internal operations;
- improve our Services;
- measure or understand the effectiveness of advertising we serve and to deliver relevant advertising to you;
- analyse, identify and categorise customers who use or may be interested in the Services;
- combine information we receive from other sources with the information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
5. Legal basis for using your data
To use the information as provided in section 4, we rely on following data processing grounds:
- Consent (GDPR Article 6 (1)(a)). We can process your data based on your consent. We for example may send you marketing materials based on your consent;
- Performance of a contract (GDPR Article 6 (1)(b)). We may process your data to perform our obligations pursuant to the Agreement to provide the Services to you. This might for example be the case if you contact customer support with any questions you might have;
- Legal obligations (GDPR Article 6 (1)(c)). We may process your data if it is necessary to meet legal obligations we are subject to. This for example might be data processing we conduct during our anti-money laundering activities;
- Legitimate interest (GDPR Article 6 (1)(f)). We may process your data if we have a legitimate interest to do so. Such necessity might arise for example for business development, to ensure information security, during fraud investigations, if required so by our external cooperation partners or if necessary to protect our legal interest.
6. Sharing data
We aim to share as little personal data on your as possible to service providers, especially outside the EEA region. Whenever possible, we anonymize the shared data so that you cannot be identified based on that data. In addition to that, we may transfer your personal data to countries outside the EEA area if it is necessary for the purposes as provided in Annex 1 of this Policy. In such cases we shall ensure that adequate safeguards are in place to protect your rights. You may request a copy of such safeguards we have put in place by contacting us via email.
We may also share your personal data if we are legally required to do so, for example in cases of financial supervisory authority, financial intelligence unit, tax authority or other relevant authority requesting personal data from us.
We also share your personal data with other Lightyear group entities, which may also reside outside the EEA region. Lightyear group entities are subject to same internal data processing principles to ensure sound safeguarding of personal data within our group.
More specifically, we may share your data to following parties:
- Lightyear group companies – we share your personal data with other Lightyear group entities to provide you the Services. Our group entities are and in the future shall be located either in within the EEA region or in countries who are subject to adequacy decisions issued by the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). If we establish any group companies outside the EEA region, we shall make sure that adequate safeguards are in place to protect your personal data. Each Lightyear group company can function as an independent controller in such scenarios;
- Public authorities – upon receiving a valid request from a public authority, we shall share personal data to comply with our legal obligations. Public authorities are deemed to function as independent controllers in such cases;
- Service providers – in order to provide you with the best Service, we are cooperating with various service providers to (this list is high-level and not conclusive):
As referred in this section above, from time to time, we also may share aggregated data, such as statistical or demographic data with our service providers to better understand our customer behaviour, which allows us to improve our services and target our marketing efforts more knowingly. Before sharing such data we aggregate and anonymize it so that you nor any other customer will be identifiable within the dataset.
- facilitate the participation in financial markets (for example trade execution, settlement partners and partners for payment services);
- deliver to you the relevant data (such as market data, information concerning the financial instruments, etc.);
- support and maintain our IT infrastructure (for example servers);
- marketing agencies that help us with marketing and promotional activities;
- partners that help us analyse and understand customer behaviour and aggregated data about our customer’s activities to be able to improve our services and marketing activities;
- meet our regulatory obligations (KYC and sanction-related monitoring for example), etc. In such situations the service providers will function as data processors.
7. Publicly available data
We may also share your personal data with other Lightyear customers that you know. Lightyear customers can sync their contact list with Lightyear App to help them connect to their contacts that also use the Lightyear App, as well as invite people via SMS to download the Lightyear App. You are visible to persons that use Lightyear and that have your phone number or email stored in their contact list. Your contacts can follow your personal profile that shows financial instruments you have invested into (without showing the value of your portfolio or how many shares or fund units you hold). By default, your personal profile is set to private and no information related to your positions is shared. You may choose to turn it public to disclose such information to your friends and other contacts. You can always adjust your profile privacy settings via the App.
If you wish to not be discoverable by persons who have your contact details stored in the phone's contact list, please contact the Customer Support here: email@example.com.
In case of syncing the contact list, the personal information (phone number and email) accessed via the contact list sync will be cryptographically hashed so that only information Lightyear stores is a hash value derived from the phone number and/or email. Lightyear does not collect names or any other information associated with your contacts and we do not share hash values we collect or make available to others. The process of hashing the information is irreversible.
8. Where we store your data
Protection of personal data is very important to us. We use various technical and organisational measures to ensure that your data is safe with us.
Your personal data is stored either in our databases or in databases of our service providers. Servers storing such data are physically located in the EEA region. In some instances, we may share your data with service providers located outside the EEA region, please see section 6 for more details.
9. How long we keep your data
We generally store your personal data as long as necessary for the purpose under which we collected the information. As a regulated financial institution, we are required by law to store some of your personal and financial data beyond the closure of your account with us. We will delete data that is no longer required by a relevant law or jurisdiction in which we operate. Our general data retention period is 5 years after ending the business relationship with you. This is a statutory data retention period which we have to follow to be compliant with our legal obligations. In some cases we may need to hold your personal data for longer to meet our legal obligations or if we have a legitimate interest (if longer data retention is for example required by our cooperation partners) to do so.
10. Your data protection rights
Under relevant data protection laws and this Policy, you have various rights related to your personal data as provided below:
- Right to access. You have the right to request access to the information we hold about you. Please be aware that this right can sometimes be limited by our regulatory obligations. We are unable to provide you access to personal data that would cause us to break the law, for example.
- Right to rectification. You have the right to ask us to update any of the information about you that you think is inaccurate or incorrect.
- Right to erasure and restriction of processing. You have the right to ask us to delete, stop processing or limit our use of your information that we hold. Please be aware that if we have a regulatory obligation to still retain this information, we might be unable to facilitate this request until the required retention period has elapsed.
- Right to data portability. You have the right to receive your personal data, which you have provided to us, in a structured, commonly used, and machine-readable format and you have the right to request us to transmit this data to another data controller if the data was gathered by your consent, pursuant to the Agreement between us or via automated means.
- Right to withdraw your consent. Your consent is voluntary, and you have the opportunity to withdraw your consent at any time. Please be aware that in such cases we may not be able to provide Services to you. In addition to that, you always have the right to withdraw your consent from receiving marketing materials from us. We provide you with the option to unsubscribe from such communications in each email, via the unsubscribe link. We still shall send you relevant information regarding the Services and our Agreement.
11. Automated decisions
We may make automated decisions about you. This means that we may use technology that can evaluate your personal circumstances and other factors to predict risks or outcomes. We do this for the efficient running of our services and to ensure decisions are fair, consistent and based on the right information. Most of the automated decisions we make are connected to providing the Services to you. If we make automated decisions about you that limit your rights or access to the App, we will review those decisions manually as soon as possible.
Our App can only be accessed from regions in which we have decided to operate in. We automatically restrict access to our App in regions that we do not operate in.
If you have any concerns about our use of your personal data, you can make a query or a complaint to us at firstname.lastname@example.org and we will do our best to address the issue.
If you feel that we have not addressed your questions or concerns adequately, or you believe that your data protection or privacy rights have been infringed, you can complain to the Estonian Data Protection Inspectorate (www.aki.ee) if you are unhappy with how we have used your data. You have a right to bring an action before a court.
13. Applicable law and jurisdiction
This Policy will be governed by and construed in accordance with the Estonian law. Without prejudice to any rights you may have to refer a complaint to the authorities, the courts of Estonia have exclusive jurisdiction to settle any dispute arising in connection with this Agreement and for such purposes we and you irrevocably submit to the jurisdiction of the Estonian courts.
14. Changes to this Policy
We continuously review our policies and procedures. We’ll post any changes we make to this policy on this page and let you know about any significant changes via email.
Personal data processing details
|Personal data||Purpose||Source||Legal basis|
|Personal data: first and last name, phone number, date of birth, personal identification number (or equivalent), age||To meet our regulatory obligations for the provision of Services|
Directly from the data subject, some data points are verified using public databases, which depends on the residence of the data subject
|Performance of a contract (GDPR art 6 (1)(b)), legal obligations (GDPR art 6 (1)(c)|
|Contact information: email address, residence address, geographical location (IP address) supporting documentation (utility bills, bank statements, other equivalent documents)||To know how we can contact you and for regulatory purposes||Performance of a contract (GDPR art 6 (1)(b)), legal obligations (GDPR art 6 (1)(c)|
|Background information: bank account information, IP address, tax residency and tax ID number, if applicable, citizenship, employment information, source of wealth, personal identification card data points (date of issue, expiry date, picture, country of issuance)||To understand to who we shall provide the Services and to fulfil our regulatory obligations (related to KYC) as a provider of investment services||Legal obligations (GDPR art 6 (1)(c), legitimate interest (GDPR art 6 (1)(f)|
|Data on how you use the Services: information on how long and how often you use the Services, what features you use the most and how and what not, etc. In connection to this data we may also capture relevant demographic factors associated with you.||To improve the App and our Services and how we market our Services|
Directly from the data subject
|Legitimate interest (GDPR art 6 (1)(f))|
|Marketing: email address, citizenship, etc.||To provide you with marketing materials||Consent (GDPR art 6 (1)(a))|
|Financial data: your payment information (cards, bank accounts, etc.), orders, deposits, investments, etc.||To provide the Services||Directly from the data subject, from service providers used by the data subject||Performance of a contract (GDPR art 6 (1)(b)), legitimate interest (GDPR art 6 (1)(f))|
|Customer support: different kinds of communications (emails, other messages, phone calls, etc.), information provided in those communications||To provide the Services||Directly from the data subject||Performance of a contract (GDPR art 6 (1)(b))|
|Data related to information security measures (technical information on how our Website and App is accessed and used)||To provide the Services||Directly from the data subject, public databases||Legitimate interest (GDPR art 6 (1)(f))|
1. Introduction2. Definitions3. What data we collect about you4. Why do we use your data5. Legal basis for using your data6. Sharing data7. Publicly available data8. Where we store your data9. How long we keep your data10. Your data protection rights11. Automated decisions12. Complaints13. Applicable law and jurisdiction14. Changes to this PolicyAnnex 1