Privacy Policy

Octet Europe Ltd.

This document sets out our policy on the management of personal information which we have about individuals. Those individuals include buyers to whom we may provide or may have provided a service and individuals who may sell goods or services to a buyer with the help of our service.

Throughout this notice:

1. “you” shall refer to yourself as a buyer, guarantor, seller, or your associate or any authorised person appointed by you to represent yourself;
2. “we” shall refer to Octet Europe Limited, a Payment Institution with Company No. C88287 and registered address at Nr. 2 Level 2, Regional Business Centre, University Heights, Msida MSD 1751, Malta, and acting as data controller;
3. “data” shall refer to personal data, i.e. any information that may be related to an identified or identifiable data subject.
4. “data subject” shall mean you where you are a natural person, whatever the nationality or place of residence, in relation to whom your personal data is processed. Where you are a legal person, then the data subject shall refer to the natural person who is authorised to represent you, your officers, directors, shareholders, controllers, employees, affiliates, and associates.
5. “buyer” means a person (such as a company, sole trader or partnership) to whom we are providing our services;
6. "seller” means a person (such as a company, sole trader or partnership) which has sold or may sell goods or services to the buyer by using our services; and
7. “associate” means a person who is or may become an officer or employee of the buyer or the seller.
8. “Service Agreement” shall mean the terms and conditions, the seller rules and offer, the buyer rules and offer, and any amendment or ancillary document connected thereto which are entered into between us and the buyer/seller.
9. “Services” shall include all the services which are identified in the Service Agreement that we provide to you including but not limited our services as a licenced financial institution, to the access and use of the Octet Platform, our services as Octet Financial Institution (OFI).

Please read this Privacy Notice carefully and kindly do not use our services if you disagree with it.

Any changes we make to this Privacy Notice will be posted on our website.

1. Our privacy assurance to you

The privacy of your data is important to us. We respect your right to be aware of who has your data, what they are doing with it and why, and who else they are sharing it with. We are committed to protect the privacy of the data in accordance with the General Data Protection Regulation  EU Regulation 2016/679 (hereinafter “GDPR”) and the Data Protection Act (Chapter 586 of the Laws of Malta) (hereinafter “the Act”) as may be amended from time to time.

The underlying Privacy Policy provides you with relevant data processing information as required in terms of article 13(1) of the GDPR.

2. Overview

This privacy policy explains how we collect, manage, use, and process your data. In particular it explains, in relation to that data:

• the kinds of data we collect and hold;
• how we collect the data;
• the purposes for which we collect, hold, use and disclose the data;
• how you can access your data that we hold and seek the correction of that data;
• how you may complain and how we may deal with the complaint; and
• whether we are likely to disclose your data to Non-EU recipients.

By browsing our website and using our services including the services set out in the service agreement, you agree to and accept that we collect and process your data in accordance with this Policy.

You may at any time withdraw your consent and acceptance of our services by notifying us thereof by the contact details in section 7 below and, where applicable, in line with the service agreement. We will then delete or anonymize data that is referable to you, however, excluding such data that we are required to retain by law, if any.

We have a right to, at any time, change this Policy. We shall notify upcoming changes to the Policy via our website with reasonable advance notice. If you do not accept the changed terms, you have a right to notify us that you are not permitting any further processing of your data prior to the changed policy enters into force.

The legal bases for processing your data are:

• To take the required steps prior to entering into a service agreement with you whereby you engage us to provide you with our services in line with our license and for the performance of the said service agreement for which you have declared your consent - such data is necessary for us to provide you with such services. The consequence for not providing such data to us is that you would not be able to avail yourself of our services.

• Our legitimate interests – in particular legitimate interests which may arise directly or indirectly in relation to your instructions to us and in keeping you updated with information. We also have a legitimate interest to process your data for safety and security of our services. When we process your data, we ensure that the legitimate interests pursued by us are overridden by your interests, rights and freedoms which require protection;

• Your explicit consent – in which case, our processing shall be limited to the purposes specifically indicated when your consent was requested and given; and

• Compliance with legal obligations imposed on us – in particular as a result of our license conditions, the Financial Institutions Act (Chapter 376 of the laws of Malta), Prevention of Money Laundering Act (Chapter 373 of the laws of Malta) that arise in Malta, obligations under FATCA and CRS (where applicable), and other obligations, regulations, guidances, rules or otherwise imposed upon us in terms of applicable law, it is necessary for us to process your data.

3. The kinds of personal information we collect and hold

We collect and process data about you and your use of our services. This information includes:

• identification information, such as the name, residential address, contact information, date and place of birth, nationality, tax residency, email and telephone number;
• Documentation to prove and verify your identity or your address;
• Documentation to prove source of funds and wealth;
• Financial data including bank/card information; payment details and history, products and services used;
• Correspondence that you send to us;
• Marketing and communications data; and
• Other information such as information collected through cookies, IP address, log-in times, operating system and browser type and details of your visits to the Octet Platform. 
• Other information which we may specify in the service agreement we enter into with you.

Please always provide us with updated, correct and accurate information and notify us immediately in case of changes to the information that you provided us. You are committed to ensure that you obtain the necessary consent of any another person whenever you provide us with information related to such person and to inform the said person of their rights arising out of this privacy policy..

If you opt not to provide us with any of your data included above, this may delay or prevent us from adhering to our obligations or from providing our services to you. In this event our service provided to you may be cancelled or terminated.

The data we collect and hold varies depending on the data subject we are dealing with and the reason why we are dealing with them. Under various laws and regulations in force in Malta, we will be (or may be) authorized or required to collect data about a particular data subject or individual. These laws and regulations include, but are not limited to, the Prevention of Money Laundering Act (Chapter 373) and Prevention of Money Laundering and Financing of Terrorism Regulation issued there under , Companies Act (Chapter 386), National Interest (Enabling Powers) Act (Chapter 365), Income Tax Act (Chapeter 123), Income Tax Management Act (Chapter 372) and any regulations, guidances, rules or otherwise issued thereunder.

4. How we collect personal information

We collect data in a variety of ways. For example, we may obtain the data from you or from persons acting on your behalf. When it is possible and practical we will collect data directly from the data subject or from a third party. The third party could be your authorised representative (such as a broker, agent, accountant or lawyer), an other financial institution, a referee, an employer or a government body. When you are the seller or an associate we may obtain the information from the buyer.

This is all done in order that we comply with our legal obligations to prevent fraud, money laundering or terrorist financing.

5. How we hold information

We have implemented appropriate technical and organisational measures to ensure that data which we hold is protected from misuse, interference or loss and from authorised access, modification or disclosure.

We do this by having physical, electronic and procedural safeguards which protect the data we hold. For example, the data is stored in secure office premises, secure cloud based storage applications (such as AWS cloud) or in secure archiving facilities and logins and passwords are required to access electronic databases. Our staff are required to maintain the confidentiality of data and access to data is restricted to persons who require access to perform their duties.

6. The purposes for which we collect, hold, use and disclose personal information

We collect, hold, use and disclose your data for purposes permitted by law which are reasonably necessary for our services. Those purposes include:

• if we have obtained your consent to the processing of your data;
• where you are the buyer, to determine if we should provide our services and, if we decide to provide our services, to assist in the provision of such services. This is necessary for the performance of our contractual obligations arising out of the service agreement. This includes the assessment of the application, managing the account and executing of transactions, recovering money and dealing with any security which you may give;
• where you are the seller, to record the contract entered into between the seller and the buyer and to disburse amounts we receive from the buyer by executing the payment to the Octet financial institution which has entered into a contract with the seller;
• where you are the associate of the buyer, to determine if we should enter to the Service Agreement and to assist in the provision of the Service Agreement;
• where you are the associate of the seller, to record the contract entered into between the seller and the buyer, to confirm that there is a bona fide contract between the seller and the buyer and to disburse amounts we received from the buyer by executing payment to the Octet financial institution which has entered into a contract with the seller;
• to manage and administer the services which we provide;
• to assist in the management and enforcement of the services we provide, for data analysis and internal management;
• to deal with complaints and legal proceedings;
• to meet our legal and regulatory obligations and requirements;
• to protect your interests if the processing of your data is necessary;
• if the processing of your data is necessary for us to establish, exercise and protect our legal rights; and
• for market research. You may be contacted to participate in market research. In this case, your participation and any information provided by you will be held anonymously, unless you specifically instruct us otherwise.

To provide our services in the most cost effective and efficient way we may decide to disclose your data to partners or companies that we collaborate with that will process data on our behalf. For example, we may use a mailing house to send monthly statements. In such event we shall always be responsible for the correct processing of your data.

We may also disclose data as part of our obligations arising out of and the performance of the service agreement, amongst others:

1. where the buyer and the seller agree to share data which is not requested or required by us to be collected and processed and such data is stored on the Octet Platform, we shall disclose such data to the buyer/ seller as part of our service;
2. to the Trade Relationship Officer (TRO) appointed by the buyer and the seller and/or the TRO with whom we, acting as Octet Financial Institution (OFI), have entered into an agreement for the purposes of making available a TRO to the buyer and seller;
3. To our web-based service providers, being third party service providers of payment gateways, for us to receive funds authorised by the buyer. Your credit card details will be disclosed to the payment gateway provider. We have agreements in place with such payment gateways that also regulate the processing of such data;
4. To the OFI appointed by the seller to receive funds from the buyer’s account registered with us through the Octet platform and for the OFI to have access to the details of the sale contract concluded between the buyer and seller. It is noted that where the Seller is non-EU entity then the OFI appointed will be Non- EU and the policy transfer of data to Non- EU countries described below will apply. The same is said where the Buyer is non-EU entity.
5. To our Octet Platform and the Non- EU based platform provider with whom we have an agreement for the provision of our Octet Platform which is accessible by you;

In such event, we shall only act on instructions received and take the necessary measures to ensure a level of security is in place to allow for the disclosure of your data freely and protect the data that is processed against any unlawful form of processing in terms of GDPR.

Moreover, we may also be required to disclose your data under applicable law or a decision of a competent authority, to protect our legal interests or to detect, prevent or observe fraudulent behaviour. 

We may use automated systems to make decisions about you based on an assessment of data we hold about you. This is carried out in line with our Anti-Money Laundering Obligations with to detect, prevent or observe fraudulent behaviour and in line with our licence obligations. The effect of the use of automated systems will be that:

1. you may not be approved by us at pre-contractual stage and therefore not granted access to the Octet Platform or any of our services; or
2. Your access to the Octet Platform or any of our services will be suspended/ terminated at any stage during the application of contractual obligations (further to Anti-Money Laundering monitoring requirements).

In this event, you have the right to contact us to challenge the automated processing of your data. 

In the event that your consent has been obtained for such purpose, your data may also be used or disclosed for direct marketing purposes to tell you about products or services that may be of interest to you . You have a right to withdraw your consent at any time by sending an e-mail to privacy@octetfinance.com or by writing to us at: 

Data Protection Representative

Octet Europe Ltd

University Heights

Regional Business Centre Level 2

Msida MSD 1751

Malta

7. How an individual may access personal information

A data subject may access his or her data which we hold by contacting our Data Protection Representative as follows:

E-mail: privacy@octeteurope.com

Mail: Privacy Contact Officer

Octet Europe Ltd

University Heights

Regional Business Centre Level 2

Msida MSD 1751

Malta

We will need to verify the identity of the data subject before giving access to any information. We will usually provide a copy of your requested data without undue delay and in any event within 30 days of receiving the request. In line with GDPR this period may be extended by two further months, where necessary, depending on the complexity and number of requests made. We shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. There is no charge to make a request, but we may levy an administration fee for providing access.

If there is a reason why we do not make the requested personal information available we will provide our reason in writing.

8. How an individual may seek the correction of personal information

If a data subject considers that any personal information which we hold is incorrect in any way the data subject may ask us to correct that personal information. To seek the correction please contact our Data Protection Representative at the e-mail or postal address above. 

In certain situations we may decide not to agree to a request to correct your data. We will tell you in writing why we have not agreed to the correction request. 

9. How long do we keep your data?

We shall keep your data for such period as may be required in accordance with laws and regulations applicable to us. In no case shall we retain your data for a period exceeding ten years from the termination of our business relationship or the service contract whichever is the later.

10. Who are the recipients of your data?

We may share your data with the following recipients:

• our employees, associated companies, auditors, consultants and associates;
• market researchers;
• our correspondent and agent banks, merchant banks, payment service providers and card schemes;
• other financial institutions appointed by the Seller;
• law enforcement agencies; and
• courts of law, tribunals and other dispute resolution bodies, governmental or competent authorities.

We shall ensure that the persons with whom we share your data apply the appropriate safeguards to protect your data from any unlawful use, processing or disclosure.

11. How do we protect your data?

We have adopted appropriate technical and organisational measures to collect and process your data. Such measures include, among others, the restriction of access to your data by unauthorised personnel and strong technological security systems, e.g. anti-virus programs and firewalls.

We also shall contractually ensure that appropriate measures are adopted by any third party to whom we shall, if required, transfer your data.

However, please keep in mind that the transfer of data over the internet, despite all the necessary safeguards being applied, involves some degree of risk and is never fully secure. By way of example, we will never send you an email asking you for your card details, username and password. If you receive such mail, you shall immediately forward this email to us.

Our website may, from time to time, contain links to and from the websites of our partner networks. If you follow a link to any of these websites, before submitting any data to such websites please read their privacy policy and be aware that we shall not be held liable and responsible for their privacy or any other of their policies.

12. What other rights do you have?

Under GDPR you may also exercise the following additional rights:

• right to be informed on what information is being collected, how it is being used, how long it will be retained by us and if it will be shared with third parties;
• right to erasure (“the right to be forgotten”). You can ask us to erase your data in certain circumstances, e.g. when data is no longer necessary or was unlawfully processed or when you withdraw your consent. However, we cannot erase your data where the processing and/or holding of such data is necessary for: exercising the right of freedom of expression and information; compliance with our legal obligation; achieving purposes in the public interest or statistical purposes in respect of the principle of data minimisation; the establishment, exercise or defence of legal claims;
• right to restrict processing. You can ask us to limit the way we use your information;
• right to data portability. You have the right to receive your data in a structured, commonly used and machine-readable format and to have your data transmitted directly from us to another controller, where technically feasible; and
• right to object. We will notify you if we are going to use your data in a manner that is different from the use set out in our Privacy Notice. You have the right to object to any new use or change in use of your data.

13. How an individual may complain and how we will deal with the complaint?

We have an internal dispute resolution system that covers complaints. If you consider that we have failed to comply with GDPR or the Act, you are requested to contact our Data Protection Representative on the email or postal address given under paragraph 7 of this privacy policy. We will then follow our internal dispute resolution procedure and we will acknowledge the complaint within 2 working days. A decision will be made and advised promptly but not later than 30 days or a longer period as may be agreed with the individual. If you are not satisfied with the decision, you may make a complaint with a supervisory authority and seek a judicial remedy, in the Member State or his/her habitual residence or place of work. The Maltese supervisory authority is the Office of the Information and Data Protection Commissioner with website idpc.org.mt which contains contact details and also provides online filing of complaints. 

14. Disclosure of personal information to overseas recipients

We will only transfer data to non-EU recipients in line with the standard contractual clauses  and processing agreements we have agreed to with such non-EU recipients. Otherwise, we will transfer data to non-EU recipients when this is necessary for the performance of our contractual obligations arising out of the service agreement with you; or for the implementation of pre-contractual measures taken at your request prior to signing the service agreement in line with the derogations set forth in Article 49 GDPR.

For example, (i) if the seller or the Octet financial institution which has an agreement with the buyer is located in a non-EU country, we may need to send the buyer’s data to such non-EU country so that we can confirm that a bona fide contract has been entered into between the buyer and the seller or to make a payment to the Octet financial institution [the same is said where the buyer is located in a non-EU country] ; (ii) if there is a dispute between the buyer and the seller we may need to provide information to a person located in a non-EU country to assist in the resolution of that dispute; (iii) we may use service providers, such as the platform provider, located in Non-EU countries. 

It is not practicable to specify the countries other than Malta in which the recipient could be located as this will largely depend on the sellers with whom the buyer decides to contract or vice-versa.

Furthermore, you are required to ensure that you obtain the consent of the data subjects associated with you and who’s data will be involved in such transfer. We shall not be held liable or responsible in any way for any transfer of data to a non-EU country should it result that the appropriate consent was not obtained by yourself from the data subject. We shall endeavour to document and implement necessary safeguards to provide as much protection possible within our control to the data subject with respect to such transfer and to ensure that the rights available to the data subject are enforceable and effective legal remedies are available to the data subject. However we cannot guarantee these safeguards and we will not be responsible for the way that non- EU entity, to whom the data has been transferred, handles the data it receives from us. 

15. Contact us

Questions, comments and requests regarding this privacy policyare welcome and should be addressed to our Data Protection Representative via email as provided under paragraph 7 above.