Last Update: November 2022
a) “EEA” means, for purposes of this GDPR Notice, the then-current member states and member countries of the European Union and European Economic Area, respectively, and the United Kingdom.
b) “GDPR” means the General Data Protection Regulation 2016/679, EEA implementation legislation relating thereto, and the transposition of the General Data Protection Regulation 2016/679 into the United Kingdom’s domestic law (and amendments to the United Kingdom Data Protection Act 2018 relating thereto).
c) “Services” means the provision of the Platform and Website, related documentation and any other specified services or deliverables required to be provided by Securitize (for itself or on behalf or through any of its Affiliates) under the Agreement between you and Securitize.
e) Except as otherwise defined herein, the terms “controller,” “personal data,” “processor” and “processing” (including “process(es)” and “processed”) shall have the meanings set forth in the GDPR.
Any capitalized terms not defined herein take their meanings from the Securitize Platform Terms of Service.
If entering the Platform from the European Union, the data controller is [incorporated company licensed in Spain]
If entering the Platform from any other Country, the data controller is Securitize Inc, with a business address at 655 Montgomery Street, 7th, San Francisco, CA 94111. Contact address: email@example.com (Attn: Privacy)
Hereinafter, for purposes of this GDPR Notice, both companies are referred to as “Securitize”.
Securitize data protection officer contact details are: dataprotection@ securitize.io
To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
a) When submitting forms on our Website and in e-mail, text and other electronic communications between you and the Website. To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
b) When login in the Platform and creating a Platform Account: Login credentials used to connect to our Platform (Login ID, password), contact information (private or professional, such as name, address, phone number and/or email address), and other identification information that will allow us to identify you (identity card, passport information, place and date of birth, nationality, gender, image). All this information is considered your Account Information (“Account Information”). To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
c) When using the Platform: additional information such as economic, financial and tax information (e.g. tax ID or tax status, income and other revenues), banking and financial information (bank account details, assets, declared investor profile including investment experience, investment activity, risk tolerance and transaction history, particularly regarding financial products offered through Securitize Platform), education and employment information (e.g. education level, remuneration), transaction data (beneficiary names, address, details including communications on bank transfers of the underlying transaction) crypto-wallet address, and other information required by applicable laws depending on your designated country (“Operational Information”). To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
d) When navigating the Platform/Website: information may include usage details, IP addresses, device information including, but not limited to, identifier, device name and type, operating system, location, mobile network information, and standard web log information, such as your browser type, traffic to and from our site, and the pages you accessed on our website, and information collected through cookies, web beacons, and other tracking technologies (“Navigation Information”). To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
The personal data that we process can be obtained from the information you provide us as User and/or Investor by completing forms on Securitize Platform/Website and/or submitting associated documentation required, by performing verification checks and submitting identity information through the Platform, when making operations and/or purchasing securities through the Platform or by sending your queries or requests for contact or information and/or when browsing the Platform and/or the Website. To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
Each form and/or Service indicates the data required. All data is collected on a need-to-know basis. Remember that if you do not provide mandatory information, it is possible that we will not be able to deal with your query or process your request. To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
Likewise, pursuant to the Securitize Legal Terms, you hereby represent and covenant that all information you provide or cause to be provided to Securitize is accurate, current, and complete. To provide access and use of Securitize Platform and the Website, Securitize must process certain Personal Data, including the following:
Should any of such information provided change, you agree that you will update this information as soon as possible through Securitize Platform or by contacting us at [firstname.lastname@example.org]
We can also obtain personal data from others, such as Issuers you have authorized to share your information, tax authorities, bankruptcy registers, governmental and competent regulatory authorities to whom we have regulatory obligations, fraud prevention and detection and anti-money laundering agencies, organizations and service providers.
Securitize will process Users’ and Investors’ Personal Data:
a) The Management of your Platform Account, based on the Agreement between you and Securitize. This includes the verification of your account and the maintenance of its functionalities to provide proper access and use.
b) Sending you communications. By choosing to use the Platform, you will receive disclosures, notices, documents, and any other communication about our Platform from us (“Communications”), as described in the Securitize Platform Terms of Service. Some of such communications are necessary for your access and use of the Platform and therefore, the legal bases for the processing of your data in this regard is the execution of the Agreement between you and Securitize. Other communications, such as the communications with selected Issuers of your choice, are voluntary, and based on your consent. Some others, such as commercial communications regarding Securitize Group news, new services, collaborations, etc. are based on our legitimate interest to keep you updated of our Platform and provide you with information about us that may be of your interest.
c) Managing & enabling operations, based on the Agreement between you and Securitize. This also includes all Services provided through the Platform, such as, for example, the recording of operations performed through the Platform and the offering of new financial products; administer, manage, and set up your Plaftorm Account to allow you to purchase the financial products offered through Securitize; and facilitate the transfer of securities and any other transaction through the Platform.
d) Meet the contractual obligations we have to you and/or facilitate the continuation and/or termination of the contractual relationship between you and Securitize.
e) Open, maintain or close your Platform Account, based on your consent, and process any operation and/or request made by you, based on your consent and the Agreement existing between you and Securitize.
To comply with applicable laws, including:
a) Resolve disputes
b) Reporting possible criminal acts or threats to public security to a competent authority and authenticating Investors’ identity and assessing risk status relating thereto (e.g., AML and Sanctions Screening) based on compliance with applicable laws. Securitize screens Investors for (i) anti-money laundering and related activities as required by the U.S. Bank Secrecy Act and its implementing regulations, or other applicable law (“AML”), and (ii) sanctions and related screening as required by the U.S. Office of Foreign Assets Control or other agencies or governments with jurisdiction over the parties (collectively, “AML and Sanctions Screening”).
c) The protection of Investors and Issuers, regarding applicable obligations, based on pre-contractual measures required by law. For example, we undertake your due diligence and onboarding check, verify the identity and addresses of our Users, and conduct mandatory suitability and convenience tests that may entail the profiling of Users to determine their knowledge of the financial products offered through the Securitize Platform and to protect inexperienced Users from high-risk financial investments. Such profiling based on your test responses is always reviewed by our staff, and therefore, no automated decisions are made.
d) Record transactions for accounting purposes, maintain statutory registers, and comply with requests from authorized financial, tax, administrative, criminal, or judicial authorities, law enforcement, state agencies and/or public bodies.
e) Comply with our accounting, auditing, and tax reporting requirements.
Responding promptly and appropriately to Investors’ inquiries and technical support requests, based on consent.
Analyzing the use of the Platform/Website to improve performance and functionalities, and measure and analyze Users’ and/or Investors’ experience, including:
b) Track traffic and analyze browsing habits to improve and develop new functions, and manage our risk and operations, based on our legitimate interest, both on the Platform and the Website.
c) Ensuring cybersecurity of the Platform/Website for all our users, and protecting our business against fraud, breach of confidence, theft and other attacks and misuses, to the extent that this is not required of us by laws, based on legitimate interest.
d) Address or investigate any complaints, claims, proceedings, or disputes, and conducting our internal audits, assist with internal compliance with our processes and policies, keep our internal records, and analyze and manage commercial risks, based on our legitimate interest.
e) Analyze your preferences to show you personalized content and/or customize our Website/Platform in accordance with your preferences, speed up your searches, and monitor and improve our relationships with Investors and Users, based on our legitimate interest.
Securitize does not track its customers over time and across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. Third parties that have content embedded on Securitize Website/Platform may set cookies on a user’s browser and/or obtain information about the fact that a web browser visited a specific Securitize website and/or the Platform from a certain IP address.
See your web browser's documentation for information on how to enable DNT signals and learn about other mechanisms that enable consumers to exercise choice about behavioral tracking.
Remember that consent-based processing may be revoked at any time. You may also object to continue receiving commercial communications in the manner indicated in the footer of each communication.
In any case, our legitimate interest remains proportionate, and we verify according to a balancing test that your interests or fundamental rights are preserved. Should you wish to obtain more information about such balancing test, please contact us at email@example.com
Securitize will only retain Investors’ and Users’ personal data for as long as reasonably necessary to fulfill the purposes for which collected, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.
To determine the appropriate retention period for personal data, Securitize considers the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which it processes the personal data (and whether it can achieve those purposes through other means), and the applicable legal, regulatory, tax, accounting or other requirements.
With regards to data processing through Securitize Platform/Website, your personal data are preserved, specifically:
a) In relation to the provision of access and full use of the Platform, your data will be retained as long as you maintain your Platform Account.
b) In relation to compliance with applicable laws, we will preserve the data for the time required by such legislation.
c) In relation to addressing queries and requests, the data will be retained for as long as necessary to deal with the query and/or manage the request.
d) In relation to sending communications, data will be processed until you request their erasure and/or until one year has elapsed since you opened our Communications.
e) In relation to analyzing the use of the Platform/Website to improve performance and functionalities, where the processing is based on consent, your data will be preserved until you revoke your consent. Where the processing is based on our legitimate interest, your personal data is processed only for the time necessary to aggregate the useful information for each analysis. In any case, web traffic information is periodically deleted, so that we only retain anonymous statistical usage data.
When no longer needed for their corresponding purpose, the data will remain duly blocked solely for the purpose of attending to any liability or obligation that may arise from the processing activities described above.
Securitize may share personal data regarding Investors with third-party service providers for the purpose of conducting AML and Sanctions Screening, provided that Securitize shall disclose only such personal data necessary to accomplish such purpose. The third-party service providers may provide Securitize with additional personal data or other information as a result of conducting AML and Sanctions Screening including, as applicable, contact information and sanctions history. Based on compliance of applicable obligations.
Securitize also may share personal data regarding Investors and Users with the following categories of recipients:
a) Securitize’s affiliates and companies within Securitize group providing Services through the Platform/Website, based on the Agreement between you and Securitize and the Securitize Legal Terms.
b)processors engaged by Securitize and such processor’s subprocessors (collectively, “Processors”) that provide Services to, or on behalf of, Securitize, including data storage, customer relationship management and third-party administrative services.
c) applicable governmental, judicial, or regulatory authorities/bodies as required by laws; and issuers identified by the Investors and/or third parties to which Securitize is directed to disclose those personal data, based on your specific and express consent and/or whenever is necessary for the compliance of our obligations under the Agreement between you and Securitize.
d) To enforce or apply our Agreement and other Agreements between you and Securitize, including billing and collection purposes.
e)If we believe disclosure is necessary or appropriate to protect the rights, property or safety of Securitize, other Investors and/or Users, and others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction when allowed by applicable laws.
Securitize may transfer personal data regarding Investors and Users from the EEA to Securitize (and its processors) or issuers in the United States and other countries which are not deemed by the European Commission to provide an adequate level of protection for personal data (each, a “Transfer”). Securitize stores the personal data of Investors from the EEA primarily in EEA-based cloud servers but will access your personal data in the United States for the purpose of providing the Platform/Website Services.
We guarantee that when your data may leave the EEA, the same protection level shall be maintained based on compliance with the provisions of European data protection regulation. In this regard, international transfers of data shall be carried out (i) to countries with an adequate level of protection declared by the European Commission; (ii) based on the provision of adequate guarantees such as standard contractual clauses or binding corporate standards; or (iii) by virtue of the authorization of the competent authority or control body or under other conditions provided for in the regulation.
To receive more information on international data transfers or to obtain confirmation or a copy of the guarantees in place you can contact us at [firstname.lastname@example.org].
This section does not apply to personal information that is protected under federal financial privacy laws. Personal information does not include information that is publicly available or that has been de-identified or aggregated.
California residents should refer to the sections Information “We Collect About You and How We Collect It” and “How We Use Your Information” for a discussion of the personal information we collect and how we collect and use it. As a California resident, beginning after January 1, 2021, you may have certain rights over personal information we have about you, depending on the type of relationship you have with us.
We do not offer an opt-out of sale link on our homepage for the purposes of the CCPA. We may share personal information with our service providers, with third parties with whom we jointly offer products or services, with third parties from whom you request a product or service through us, in the context of a merger, acquisition, bankruptcy, or other corporate transaction, or as otherwise permitted by the CCPA.
We have implemented measures designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure. We store and process your personal and transactional information, including certain payment information, such as your encrypted bank account and/or routing numbers, where Securitize facilities or our service providers are located, and we protect it by maintaining physical, electronic, and procedural safeguards in compliance with applicable regulations. We use computer safeguards such as firewalls and data encryption, enforce physical access controls to our buildings and files, and authorize access to personal information only for those employees who require it to fulfill their job responsibilities.
The safety and security of your information also depend on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website/Platform, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot totally guarantee the security of your personal information transmitted to our Website/Platform. Any transmission of personal data is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website/Platform except otherwise agreed in written with us.
We store our Users' and Investors' personal information securely throughout the life of their Platform Accounts. These measures include computer safeguards, limiting access to those personnel for whom access is appropriate, securing files and buildings, and other commercially reasonable measures designed to protect the confidentiality of your personal information in accordance with policies and practices.
Securitize is running an ongoing bug bounty program to find security holes and vulnerabilities on all of our platforms and APIS. Securitize conducts external cyber testing for all its systems by a certified company every six months, if security holes are found they are resolved and closed immediately. We are running internal audits and internal security pentest on all of our platforms on regular basis.
Securitize runs an internal security and event management platform that provides 24x7x365 monitoring and alerting for security events on our networks and system.
Subject to certain exceptions set out in the GDPR, natural persons have a right: (i) to request access to or correction or erasure of their personal data; (ii) to object to processing of their personal data; (iii) to restrict processing of their personal data; and (iv) to request a copy of their personal data, or to have a copy thereof sent to another controller, in a structured, commonly used and machine-readable format under the right of data portability. Natural persons also have the right to lodge a complaint about the processing of their personal data with a data protection authority.
Natural persons may object to personal data processed pursuant to Securitize’s legitimate interest. In such case, Securitize will no longer process their personal data unless Securitize demonstrates appropriate overriding legitimate grounds for the processing or if needed for the establishment, exercise or defense of legal claims.
Natural persons also may object at any time to processing of their personal data for direct marketing purposes. In such cases, their personal data shall no longer be used for that purpose.
You may revoke your consent at any time. Once the revocation has been exercised, it will not be retroactive unless otherwise required by law, and your data may be kept blocked for the prescription periods established by the applicable regulations.
These rights may be exercised by contacting [email@example.com]
Please, bear in mind that concerning the Platform, we cannot delete your personal information without also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.
For questions or inquiries regarding this GDPR Notice, please reach out to firstname.lastname@example.org.