> Privacy Policy | Open Exodus

Privacy Policy

Compliance with data protection provisions (specifically with the General Data Protection Regulation of the EU [GDPR] and the Swedish Data Protection Law) and thus the protection and confidentiality of your personal data is one of our company’s key concerns. This data protection statement informs you how our company collects personal data in our role as a controller, how we handle such data, and, in particular outlines the rights to which you are entitled with respect to personal data.

1. General

The processing of personal data, especially of the name, the address, the e-mail address or telephone number of a data subject is always handled in compliance with the General Data Protection Regulation as well as with the country-specific data protection provisions to which our company is subject. With this data protection statement, our company wishes to inform the public about the nature, scope, and purposes of the personal data that we collect, use, and process. Further, this data protection statement informs data subjects about the rights that they have.

2. Explanation of terms

The data protection statement of our company is based on the terms that were used by the European ordinance issuers when they issued the General Data Protection Regulation. The intention is to make our data protection statement easily legible and comprehensible for the public as well as for our clients and business partners. To assure this, we have compiled a list of definitions.

In this data protection statement, we use the following terms among others:

2.1. Personal data
Personal data means any information relating to an identified or identifiable natural person (hereinafter: ‘data subject’) An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.2. Data subject
A data subject is any identified or identifiable natural person whose personal data are processed by the controller in charge of processing.

2.3. Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.4. Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

2.5. Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

2.6. Recipient
Recipient means a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

2.7. Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

2.8. Consent
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, either by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Name and address of the controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

3.1. The controller is:
Open Exodus
52 Grosvenor Gardens
SW1W 0AU London
Tel.: +44 (0) 20 3468 9948
E-mail: [email protected]

If you should have any questions related to individual processing activities, please contact the controller.

4. Scope of data processing

4.1. Categories of processed data and origin

We collect and process personal data that we receive within the scope of our business relationships with our clients. Basically, we process the smallest possible scope of personal data. The range of processed data varies depending on the groups of persons involved. Personal data can be collected and processed in any phase of a business relationship, beginning with the initiation and ending with the termination of the business relationship.

Apart from client data, we may also process personal data related to other third parties involved in the business relationship.

Personal data is differentiated by the following data categories:
• Particulars
• Legitimation and authentification data
• Information from the fulfillment of our legal obligations
• Other master data
• Data from the fulfillment of contractual obligations
• Information concerning the financial situation and occupational background
• Documentation data
• Marketing data
• Technical data
• Information from your digital communication with our company
• Data from public domain sources
• Image and audio data (e.g. video or voice recordings)

We process personal data from the following sources:
• Personal data that we receive from you in the form of submitted contracts, forms, your correspondence or other documents
• Personal data collected or transmitted in conjunction with the use of products or services
• Personal data legitimately sent to us by third parties, by public entities (such as UN or EU sanction lists) or by other companies (such as for the execution of contracts or for contractual fulfillment purposes).
• Personal data – to the extent needed by us to render our services – that we legitimately procure from publicly accessible sources or other sources such as databases for verifying and monitoring business relationships (including notifications from courts, authorities or administrative entities, also regarding memberships and public offices)

4.2. Legal framework and purposes of processing personal data
We process personal data in compliance with the provisions of the GDPR based on the following legal framework and for the following purposes:

4.2.1. For the fulfillment of a contract or for the implementation of precontractual measures
If the processing of personal data serves the fulfillment of a contract (such as the rendering of financial services) where the contractual party is the data subject, processing is based on Art. 6 para. 1 lit.b GDPR. The same applies to processing activities needed to implement precontractual measures, for instance in response to enquiries concerning our services.

4.2.2. For the fulfillment of legal obligations
If our company is subject to a legal obligation that requires the processing of personal data, such as for the fulfillment of fiscal, supervisory, or anti-money-laundering obligations, processing is based on Art. 6 para. 1 lit. c GDPR.

4.2.3. For safeguarding legitimate interests
Processing activities can also be based on Art. 6 para. 1 lit. f GDPR. This is the underlying legal framework for processing activities that are not covered by the above-mentioned legal frameworks if processing is required to safeguard a legitimate interest of our company or of a third party, provided your interests, underlying rights and basic freedoms do not prevail. In particular, such legitimate interests apply to the following processing activities:
• Prevention of fraud
• Direct advertising
• Transmission of data within a company group for internal administrative purposes
• Assurance of network and information security
• Prevention of potential crimes
• For the prevention and solution of criminal offences, for video monitoring in connection with the right to allow or deny access to the premises and the aversion of danger.
• For the documentation of discussions

Additionally, we collect personal data from publicly accessible sources for acquiring new clients and for the prevention of money laundering.

4.2.4. Due to your consent
Art. 6 para. 1 lit. a GDPR serves our company as a legal framework for processing activities that require your consent for a specific processing purpose.

4.3. Use and storage of your personal data
4.3.1. Forwarding of data
Entities within and outside our company may obtain access to your data. Within our company, your data can only be processed by entities or employees if they require your data for the fulfillment of our contractual, legal, and supervisory obligations and to safeguard legitimate interests.

If the company’s business activities and services are fully or partially outsourced to group companies (e.g. group-wide coordination tasks in various domains, such as due diligence, risk management or client relationship management) or to service providers outside our company or if they render services (such as payment transactions, issue and redemption of fund units, printing and distribution of documents, IT systems and other support functions), this will be done in compliance with applicable legal provisions. All group companies as well as external service providers or fulfillment agents to which personal data is transmitted are contractually obliged to safeguard data protection, to process your data exclusively within the scope of rendering their services, and to abide by data protection laws, directives, and legal provisions. Contract processors may include companies in the fields of banking services, distribution, IT services, logistics, printing services, telecommunication, collection, advisory services, consulting as well as distribution and marketing.

4.3.2. Data erasure and storage
We process and store your personal data for the entire duration of the business relationship, from the initiation to the termination of the contract. After the termination of a contract, which eliminates the purpose of storage, the duration of storage depends on legal safekeeping and documentation obligations. Safekeeping periods may extend across 10 or more years.

4.3.3. Automated decision-making including profiling
Fundamentally, our decisions are not based on the solely automated processing of personal data. In particular, when establishing and implementing a business relationship, we basically do not use automated decision-making. Equally, we do not use profiling.

5. Rights and obligations

5.1. Available data protection rights
5.1.1. Right of access
You have the right to gain access, free of charge and at any time, to stored personal data about you and to obtain a copy of such data. This right of access covers the following information:
• Processing purposes
• Categories of personal data being processed
• Recipients or categories of recipients to whom the personal data is or will be disclosed, especially recipients in third countries or international organizations
• Where possible, the envisaged period during which the personal data will be stored, or, if not possible, the criteria used to determine that period
• The existence of the right to request from the controller the rectification or erasure of personal data or restriction of processing or to object to such processing
• The right to lodge a complaint with a supervisory authority
• If the personal data is not collected from the data subject, any available information as to its source
• The existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Further, you have the right to be informed as to whether personal data has been disclosed to a third country or an international Organization. If this is the case, you shall have the right to be informed of the appropriate safeguards relating to the disclosure.
If you wish to exercise this right to be informed, please contact the controller at any time.

5.1.2. Right to rectification
You have the right to demand the immediate rectification of incorrect personal data that relate to you. Taking into account the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of submitting a supplementary statement.
If you wish to exercise this right to rectification, please contact the controller at any time.

5.1.3. Right to erasure
You have the right to demand the immediate erasure of personal data related to your person if one of the following reasons applies and no processing is required:
• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• You have withdrawn consent on which the processing is based according to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR, and there is no other legal ground to process it
• You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR
• The personal data was unlawfully processed
• The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject

If one of the above reasons applies and you wish to demand the erasure of personal data stored by our company, you can request this from the controller at any time. He will comply with the erasure request without delay.

5.1.4. Right to restriction of processing
You have the right to obtain from the controller restriction of processing where one of the following applies:
• The accuracy of the personal data is contested, for a period enabling the controller to verify the accuracy of the personal data
• Processing is unlawful and you oppose the erasure of the personal data and request the restriction of the use of the personal data instead
• The controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims
• You have objected to processing pursuant to Art. 21 para. 1 GDPR and it has not yet been ascertained whether the legitimate grounds of the controller override those of the data subject

If one of the above prerequisites apply and you wish to demand the restriction of processing for personal data stored by our company, you can contact the controller at any time. The controller will initiate the restriction of processing.
The recipients whose personal data has been disclosed will be notified of the rectification or erasure of the data or of the restriction of processing. This duty to notify does not apply if it is impossible to implement or associated with an unreasonable effort.

5.1.5. Right to retract
You have the right to retract your consent to the processing of personal data at any time. This also applies to the retraction of statements of consent that were issued before the GDPR entered into force, i.e. prior to May 25, 2018. Please note that a retraction takes effect in the future. It does not apply to processing that took place before the retraction. If you wish to exercise your right to retract your consent, you can contact our controller at any time.

5.1.6. Right to data portability
You have the right to receive the personal data concerning your person, and that were provided by you, in a structured, commonly used and machine-readable format. You are also entitled to have this data transmitted to another controller by the controller to whom it was provided if processing is based on consent pursuant to Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and processing relies on automated procedures, provided that processing is not required for implementing a task which lies in the public interest or takes place by exercising public authority vested in the controller.
To exercise your right to data portability, you can contact our controller at any time.

5.1.7. Right to object
You have the right at any time, for reasons relating to your particular situation, to object to the processing of personal data concerning you which is based on Art. 6 para. 1 lit. f GDPR. This also applies to profiling based on these provisions.
In case of an objection, our company shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or serve purposes involving the establishment, exercise or defense of legal claims.
If our company processes personal data for direct marketing purposes, you have the right to object at any time to the use of personal data concerning your person for such marketing purposes. When you object to processing for direct marketing purposes by us, we shall cease using the personal data for such purposes.

5.2. Exercising rights

We accept requests for information in writing, accompanied by a legible copy of an identification document (e.g. passport, ID card, driver’s license). You can send your request to our controller.
You can exercise further rights, such as the right to rectification, the right to erasure, the right to restriction of processing, and – if applicable – the right to data portability by sending us an appropriate message. Please send the message to our controller.

6. Right to lodge a complaint with the supervisory authority

You have the right to lodge a complaint with a supervisory authority in an EU or EEA Member State, especially at the place where you live or work or where the alleged infringement of the provisions of the GDPR took place.
If you need contact data for a supervisory authority in another EU or EEA Member State, please contact the controller.

7. Obligation to provide personal data

Please be advised that the provision of personal data may be required by law in certain cases (tax law, money laundering prevention, etc.) or can be the result of contractual provisions (information concerning the contractual party, etc.). To finalize a contract with us, it may be necessary for you to provide us with personal data that we will subsequently need to process. For example, you are obliged to provide us with personal data if our company concludes a contact with you. The non-provision of personal data would prevent the finalization of the contract.
You are not obliged to consent to data processing of those data that are not relevant or legally or regulatorily not required to fulfill the contract.

8. Contact form and e-mail contact

The website of our company provides information that allows swift electronic contacts with our company as well as direct communication with us and includes a general address for electronic communication (e-mail address). If you contact our company by e-mail or via a contact form, the personal data you share with us is automatically stored. Such personal data communicated on a voluntary basis is stored to enable processing or contact purposes. Personal data of this kind is not forwarded to third parties.

9. Registration of users

When you use the personalized client area, our company’s website gives you the possibility to subscribe to legal documents and reports as well as to marketing documents (“the documents”). The personal data communicated to our company in the registration process is defined by the entry form provided for this purpose.
Basically, you can only receive the documents if (1) you have a valid e-mail address and (2) you comply with our KYC and AML requirements. For legal reasons, the initial e-mail address you enter to receive documents is used to send a confirmation mail based on the Double-Opt-In process. This confirmation mail is used to verify whether the owner of the e-mail address has authorized the receipt of documents as the data subject.
When you register in the client area, we also store the IP address of the data subject issued by the Internet Service Provider (ISP) for the computer used for the registration as well as the date and time of the registration process. The collection of this data is required to trace the (possible) misuse of the e-mail address of a data subject at a later point in time and therefore secures the legal protection of the controller who is responsible for processing.
The personal data we collect within the scope of a registration is used exclusively for the delivery of our documents. Further, subscribers could be informed by e-mail if this is required for the respective registration, as might be the case in the event of changes to the technical circumstances. The personal data collected within the scope of the registration shall not be disclosed to third parties.

10. Notes on the use of cookies

When our website is accessed, users are informed about the use of cookies for analysis purposes and they are asked to give their consent to the processing of personal data used in this context. In the same context, this data protection statement is referred to.

10.1. Why are cookies used?
All websites of our company use cookies for statistical purposes and to improve the user experience. When you use this website, you consent to the use of cookies for this purpose.

10.2. What are cookies?
Cookies are text files that are stored on your electronic device to track your use of electronic services as well as your navigation preference settings across the individual web pages and if applicable to store your settings between visits. Cookies support the developers of electronic services in compiling statistical information regarding visit frequencies of certain website areas, helping them to improve the electronic services and to enhance user friendliness. A cookie contains a characteristic string of characters that allows the unambiguous identification of the browser when the user returns to the website.
Please note that most Internet browsers accept cookies automatically. You can configure your browser to prevent cookies from being stored on your electronic device, to accept cookies only from certain websites, or to notify you before a new cookie is accepted. If cookies from our website are deactivated, it may no longer be possible for you to seamlessly use all functions offered by our website.

11. Analysis tools

11.1. Use of analysis tools
We use analysis tools. In this context, pseudonymized data is collected and cookies are used to analyze how users make use of our electronic services. The information generated with cookies as regards your use of the website (for instance the host name of the electronic device used to access the website [IP address], browser type and version, the operating system used, as well as the date and time of the server request) may be transferred to the servers of third parties and are used for analysis purposes.

11.2. Google Analytics
Our company’s website uses Google Analytics, a web analysis service of Google Inc. (”Google”). Google uses so-called cookies, text files that are stored on your computer; these cookies make it possible to analyze the way in which you use the website. As a rule, the information regarding your usage of the website, as generated by cookies, is transmitted to a Google server in the USA and stored there. However, in those cases in which users have anonymized their IP address when using this website, their IP addresses will be truncated by Google within the member states of the European Union or in other states of the European Economic Area. Only in exceptional cases will the full IP address transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use such information to evaluate your usage of the website, to compile reports concerning website activities, and to render further services to the website operator in conjunction with website and Internet usage patterns. Within the scope of Google Analytics, Google may merge and aggregate the IP address communicated by your browser with other data. You can prevent the storage of cookies with appropriate settings of your browser software; however, if you elect to do so, you may not be able to fully utilize all of the functions of this website. Additionally, you can prevent the data collected by cookies regarding your use of this website (including your IP address) from being forwarded to and processed by Google by downloading and installing the opt-out browser plugin from https://tools.google.com/dlpage/gaoptout?hl=en.

For more information, visit http://tools.google.com/dlpage/gaoptout?hl=en or https://support.google.com/analytics/answer/6004245?hl=en (general information about Google Analytics and privacy). Please be advised that on this website, Google Analytics was modified with the code “gat._anonymizeIp();” to enable the anonymized collection of IP addresses (so-called IP masking).