Privacy Policy

    Policy Statement

    The company , registration number: , legal address: , (hereinafter – Controller) the owner of the platform placed on homepage https://brics-invest.club (hereinafter – Platform), in connection with provision of crowdfunding services (hereinafter – Service) performs natural person personal data (hereinafter – Data) processing activities.

    Data processing is performed also by the Controller’s security agent , registration number: , legal address: , who is custodian of collateral (hereinafter – Joint controller). Controller and Joint controller (both together hereinafter – Joint controllers) jointly determine Data processing purposes and means.

    The Privacy Policy applies to natural person, who intends to use or uses the Controller’s provided Service (hereinafter – Customer) and to natural person, who is closely connected to person (natural person or legal entity) which intends to use or uses provided Services, who’s risk affects legal entity’s money laundering and terrorist financing risk level (hereinafter – Connected person), i.e. Beneficial Owner, representative, member of ownership structure, management board member or director. The Connected person Data processing is defined by requirements of European Union legislation regarding prevention of money laundering and terrorist financing activities.

    The Privacy Policy informs the Customer and Connected person (both hereinafter – Data subject) on the main Data processing principles performing Data collection, retention and transfer, as well as on on Data subject’s rights regarding the processed Data.

    Acceptance of the Privacy Policy is defined as Data subject agreement with Data processing principles and is equated to the Data subject consent with Data processing. The Privacy Policy acceptance is also defined as an entrustment to implement Connected person Data processing and confirmation of rights to give such entrustment in the name of the respective Connected person.

    Data processing principles apply only to natural person and are based on the European Data Protection Act (hereinafter – the Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter - GDPR).

    The access to Data is provided to the Joint Controllers employees, which ensure Data confidentiality during performance of their working duties on a basis of employment agreement and after its termination.
    The Privacy Policy informs on another undertakings
    to which Data are transmitted in order to process it on behalf of the Controller and on the Joint controllers defined purposes.
    Unauthorized person access to Data without the consent of Data subject is restricted, excluding occasions mentioned in the Act and GDPR requirements.

    The Privacy Policy may be revised and updated at any time informing Data subject about changes by posting the revised and updated Privacy Policy on the Platform homepage.

    The Privacy Policy takes effect upon its posting on the Platform homepage.

    In the case of any neсessity to receive additional information concerning the Privacy Policy Data subject can contact the Controller by writing an e-mail to info@brics-invest.club.


    Joint controllers

    Joint controllers process submitted Data performing Data exchange.

    Joint controllers’ respective responsibilities for the fulfillment of obligations, relevant actual functions and relationships with respect to Data processing are defined in the agreement concluded between them (hereinafter – the Agreement).

    Data subject is entitled to become acquainted with the basic conditions of the Agreement related to the Joint controlling of the Data on its written request.


    Purposes of Data processing

    The Controller processes Data for the following purposes:

    Use of cookies - in order to verify Data subject, remember its personal Platform account preferences, maintain and improve it. More information on cookies is available at Cookie Files Usage Policy.

    Identity verification - in order to ascertain and verify Data subject’s identity, conclude contract and provide Service.

    Platform account support - in order to create and maintain the Platform account, support its functioning.

    Performance of due diligence - in order to perform Data subject research in compliance with the requirement of the European Union legal regulation related to prevention of money laundering and terrorist financing activities.

    Reminders and notifications - in order to remind about incomplete Platform account creation, notify about changes in provided Service and other changes that might affect Data subject’s rights and obligations.

    Data subject can refuse reminders and notifications by informing the Controller via e-mail.

    Sending information - in order to communicate with Data subject in commercial and marketing purposes.

    Data subject can refuse communication in the defined purpose by informing the Controller via e-mail.

    Enforcement of statutory obligations

    in order to fulfill accounting and financial obligation, provisions of the European law and regulations of the Controller internal control system any information from any Data category may be used.

    Data processing purposes are interconnected with provision of Service, which may be provided only if the Data subject submits the Controller necessary Data determined in Data category.


    Categories of processed Data

    Controller processes the following Data categories:

    Identification data - name, surname, personal identification code, residence or seat address.

    Identity document data - copy of identity document.

    Due diligence data - including, but not limited to information regarding source of funds, economic activity, information whether the person is a politically exposed (PEP)[1] or sanctioned person, tax residence address.

    Platform account data - information regarding creation and activities (logins, IP-addresses, etc).

    Financial data - information regarding performed transactions, bank accounts or payment system accounts.

    Contact data -  information regarding residence or seat address, e-mail address and phone number.


    Transmission of Data

    The Controller transfers Data to another undertaking in order to achieve defined purposes and on a legal basis ensuring that undertaking had taken obligations not to divulge transmitted Data. 

    Identity verification service provider - Data subject identification and verification is carried out via electronic identity verification service provider where Data subject submits identity verification information.

    Third party - in order to protect Controller’s legitimate interests.

    Joint controller - Data transmission to security agent, who is custodian of collateral in connection with a secured loan (for detailed information relevant Terms and Conditions).

    Outsource service providers - in order to fulfill Controller’s obligations using outsourcing service, Data can be transferred to accounting, communications, legal, IT, compliance service providers, payment intermediaries, credit institutions, etc.

    State authorities - Data transmission to state institutions or organizations when these obligations are arisen from European legislation are obligated.


    Data retention

    Data collected for the purposes of implementation of due diligence measures are retained for 5 years after the termination of the business relationship or an occasional transaction.

    Data collected for the purposes of fulfilment of accounting obligations are retained for 7 years after the termination of a contractual relationship.

    Data may be stored for a longer period, but the period for which the Data are stored should be limited to a strict minimum.


    Data subject’s rights related to processed Data

    To exercise any of the rights Data subject can send to the Controller a request using an e-mail info@brics-invest.club. The exercise of a right must be clearly designated in the request provided to Controller.  

    The request is answered without undue delay within a month after it has been received. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Controller informs Data subject of the extension period and the reason of delay. The information upon request is provided in electronic form unless is otherwise requested.

    If the Controller does not take an action on the request it informs Data subject on the reasons at the latest within one month of receipt of the request. Information on Data issued upon request is free of charge, but compensation for any reasonable costs associated with dealing with the request may be demanded.

    Controller keeps right to request additional information concerning Data subject and its representative’s right to receive information and to request of rectification and erasure of Data. Controller keeps rights to refuse to act on the request in case when it is manifestly unfounded or has an excessive character. Controller also may restrict Data transmission or not transmit it in the case provided by European legislation.

    Right of access

    Data subject is entitled to:

    - obtain information on whether Data are being processed;

    - obtain information on source from which Data are being processed (if Data are not collected form Data subject);

    - receive an access to processed Data;

    - receive additional information on categories, purposes and retention of processed Data;

    - receive information on enterprises to whom Data are transmitted.

    Right to rectification

    Data subject is entitled to request prompt rectification of the incorrect Data and completing of the incomplete Data.

    Right to erasure

    Data subject is entitled to request prompt erasure of Data if one of the following conditions exists:

    - purpose of Data processing is reached and Data are no longer necessary;

    - Data subject withdraws consent given to the processing for specific purposes;

    - Data subject objects to Data processing;

    - Data have been processed unlawfully;

    - Data have to be erased for compliance with a legal obligation.

    The request to erase Data may be denied if there is a legitimate legal ground for doing so. 

    Right to restrict processing

    Data subject is entitled to restrict processing of Data where one of the following applies:

    - the accuracy of Data is contested;

    - Data processing is unlawful;

    - Data are no longer necessary for defined purpose;

    - Data subject has objected to processing, pending the verification whether the legitimate grounds for processing of the Controller override those of the accuracy of Data are contested.

    Right be informed

    Data subject is entitled to receive information on each enterprise and person who was informed on Data rectification or erasure or restriction of processing Data upon its request.

    Right to Data portability

    Data subject is entitled to receive Data and transfer them to another Data controller insofar Data have been provided based on Data subject content and the processing is carried out by automated means.

    This right does not apply to Data created by Controller.

    Right to withdraw the consent

    Data subject has right to withdraw the consent to Data processing.

    Right to protect

    if Data subject finds that the rights listed above are violated upon processing of Data, it is entitled to address with compliant the European Data Protection Inspectorate https://www.aki.ee/en/ 39 Tatari Street, 10134, Tallinn, Estonia, telephone (from abroad add +372) 627 4135, info@aki.ee  


    Data protection officer

    To enhance effectiveness of Data protection measures and ensure compliance with the Act and GDPR requirements Data Protection Officer who’s involved in all Data protection issues is appointed and notified through the Data Protection Inspectorate Enterprise Portal.

    Version 1. In force from the 1st of March, 2020.

    [1] PEP - 1) a natural Politically Exposed Person who is or who has been entrusted with prominent public functions including a head of State, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d'affaires and a high-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a State-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organization, except middle-ranking or more junior officials; 2) PEP family member - the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person; a child and their spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person; a parent of a politically exposed person or local politically exposed person; 3) PEP close associate  - a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a politically exposed person or a local politically exposed person; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person or local politically exposed person.