Skip to content

Data controller's data

The manager of the personal data processing operations described in this Privacy Policy, who determines the purposes and means of data processing, is NEO Finance, AB, legal entity code 303225546, Ukmergės g. 126, LT-08100 Vilnius (hereinafter referred to as “we” or “data controller” or “Company”), which operates the peer-to-peer lending platform “Paskolų klubas” and the payment initiation and account information service “Neopay”.

Data protection officer

A data protection officer has been appointed in the Company.

If you would like to check or find out how the Company processes your personal data, or if you are going to exercise your rights as a data subject, please contact the Company-appointed data protection officer, email asmensduomenys@neofinance.lt, or by phone +370 687 00300.

Privacy policy objective and its application

The privacy policy is aimed at persons who are interested in the Company, its services, potential and current investors, consumer credit recipients, payment service recipients, representatives of business partners, service providers whose personal data are processed for the purpose of cooperation, as well as persons who visit the websites: https://www.paskoluklubas.lt/; https://www.neofinancegroup.com/; https://neopay.online/ (hereinafter referred to as “website” or “websites”), use the Company's electronic services, communicate with the Company on social networks or other way, or simply monitor the Company's activities on social networks.

Additional information may be provided in consumer credit, paid surety, electronic money account and payment service provision and other contracts, as well as in an agreement for investment in consumer credits, in consents for personal data processing or separate privacy notices. We respect your privacy and undertake to process and protect your personal data in a fair and lawful manner in accordance with the applicable legal requirements of the European Union and the Republic of Lithuania and the instructions of the controlling authorities. We apply appropriate technical and administrative measures to protect personal data against loss, unauthorized use, and changes.

By contacting us, you express your will for the Company to contact you regarding your request. By submitting personal data to us on this website or by browsing through it, as well as using electronic services, you confirm that you have read and understood the Privacy policy and are familiarized with the fact your data is processed.

The terms used in this Privacy Policy (e.g. data controller, data processor) shall be understood as defined and interpreted in the General Data Protection Regulation.

The Privacy Policy is governed by the law of the Republic of Lithuania.

Company employees and members of the management bodies are informed about the processing of their personal data in accordance with the procedure approved by the Company's local acts.

Personal data sources

Personal data may be obtained directly from you when you use our electronic services, you enter into contracts with us in your name or while representing other persons, send your curriculum vitae (CV), as well as other information related to employment, practice in the Company or otherwise contact us, communicate with us through social networks or simply watch our activities on social networks or by visiting the Company or browsing our websites.

We may also receive your personal data indirectly, for example, from persons you represent, your spouses, data processors, persons working under a self-employed person's certificate or a business license who provide the Company with financial documents for the purpose of assessing their solvency, in the course of receiving payments from you when the Company acts as a payment service provider, etc. We may also obtain your personal data from databases, registers and information systems that collect individual data, and other external sources, including but not limited to: The Bank of Lithuania, financial institutions, the State Social Insurance Fund Board (SODRA), databases and registers administered by the State Enterprise Centre of Registers, data controllers maintaining joint debtor's data files, databases managed by CREDITINFO LIETUVA, UAB, Public register of invalid personal documents, Public register of wanted (missing) people, international sanctions lists.

Please note that you are not required to provide any personal data, but it may make it impossible to provide services for you and achieve other set goals.

The purposes, categories, grounds, retention periods and recipients of the processing of personal data

The objectives related to the provision of services by the operator of crowdfunding and peer-to-peer lending platforms

Provision of peer-to-peer lending platform operator services, conclusion and execution of contracts with investors (lenders). For the purpose of concluding and executing agreements with investors (lenders) where the Company acts as an operator of a peer-to-peer lending platform, we process the following personal data of lenders (investors): name, surname, personal identification number, date of birth, place of residence (address), telephone number, e-mail address, age, amount invested, investment terms, rating of the person to whom the loan is granted, payment history, details of representation, date of conclusion of the contract, method of signing, e-money account and the turnover of money in it, investment report, investor status, password, confirmation of investment, physical or e-mail address, name of the person to whom the investment is granted, and signature.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, data related to the representation, contact details, position, physical or electronic signature.

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR)” and “legitimate interest of the controller in the proper formation and performance of a contract (Article 6(1)(f) GDPR)”.

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

For an investor who had or has an investment in a loan taken out by a borrower, the Primary Market Loan Offer window displays the information of that investment, regardless of the status of that loan (active, repaid) or the status of the investment (confirmed, repaid, sold). The information displayed is exactly the same as what an investor can see in his/her investment overview. This information is only displayed to the investor if the borrower had a loan in the Loan Club before, the investor has invested in it and the borrower takes out a new loan.

Recipients of personal data: data may be transferred to the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania, the Financial Crimes Investigation Service (FNTT).

Provision of services as operator of a peer-to-peer lending platform, conclusion and execution of a reimbursable surety agreement

When the Company provides a crowdfunding service to investors and seeks to conclude and execute a remunerated surety agreement, we process the following personal data of investors (lenders) and consumer borrowers: name, surname, personal identification number, address, date of birth, details of representation, amount invested, consumer borrower, remuneration, and physical or electronic signature.

If the contract is concluded with the investor (lender) as a legal person, we process the following personal data of the legal person's representative: name, surname, data related to the representation, contact details, position, physical or electronic signature.

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR)” and “legitimate interest of the controller in the proper formation and performance of a contract (Article 6(1)(f) GDPR)”.

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

Recipients of personal data: data may be transferred to the Bank of Lithuania.

For the purposes of credit assessment and other financial services, based on your consent, in the event that you have been awarded an E rating in the Loan Club, the operator of the peer-to-peer lending platform NEO Finance, AB will transfer your personal data to the consumer lender UAB PRO INVEST GROUP.

Objectives relating to the provision of consumer credit

Collecting credit application data, determining and assessing creditworthiness

For the purpose of the credit application, the data provided and the assessment of creditworthiness, we process the following personal data of the persons who have completed the consumer credit application (and, where applicable, their spouses): name, surname, personal identification number, place of residence and declared place of residence (address), nationality, details of identity document and a copy thereof, age, current and former employment, type of activity of current employment, length of service, education, telephone number, e-mail address, information on income, type and source of income, account statements, details of business license, sole proprietorship, register of income and expenditure, documents proving changes in income, tax return details, copies of documents justifying the receipt of regular benefits, details of assets and encumbrances, number of minor children and dependants, marital status, preferred terms of consumer credit, bank account number, credit rating, expiry date of the credit rating, credit history, types and amounts of financial obligations requested which have been the subject of an adverse decision, existing obligations and arrears, purpose of the consumer credit, details of the credit to be refinanced, whether or not the person is on the list of persons for whom applications have been submitted for the refusal to enter into a consumer credit contract, the physical or email address, signature, and data from the Register of Incapacitated Persons (NAR).

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR)” and “processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)”.

Data retention period: the data shall be retained for the duration of the contract and for 10 years after the expiry of the contract and the fulfilment of the obligations under the contract (in case of a contract based on a submitted application) or for 3 years after receipt of the data (in case of a contract based on a submitted application not being concluded).

For the purpose of concluding agreements with consumer credit beneficiaries and granting credit, we process the following personal data of consumer credit beneficiaries: name, surname, personal identification number, place of residence, place of work, telephone number, e-mail address, rating, expiry date of the credit rating, e-money account and its turnover, credit history, purpose of the consumer credit when funds are granted for refinancing, details of the credit to be refinanced, the time of conclusion of the consumer credit agreement, and the physical or electronic signature.

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual activities (Article 6(1)(b) GDPR)”.

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

Recipients of personal data: loan investors are shown the following personalized personal data of the borrower: credit rating, number assigned in the borrower's system, amount of credit, period of time, monthly payment, purpose of credit, solvency information (income, financial obligations and types of obligations, length of employment, history of debts), gender, age, place of residence (city), marital status, total liabilities and total income of the family (in case of a non-personal loan), number of dependants, assets, level of education. We may also provide personal data to the Loan Risk Database (PRDB) administered by the Bank of Lithuania and to UAB Creditinfo Lietuva and UAB Scorify, which administer creditworthiness data systems.

Extending credit, drawing up and executing contracts with consumer credit borrowers

For the purpose of concluding and executing agreements on electronic money account and provision of payment services, we process the following personal data of the Company's customers: name, surname, personal identification number, date of birth, place of residence (address), telephone number, e-mail address, age, electronic money account, date of opening of the electronic money account, account turnover, number of the current account at another credit institution, limits of the account transactions.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, data related to the representation, contact details, position, physical or electronic signature.

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR)” and “legitimate interest of the controller in the proper formation and performance of a contract (Article 6(1)(f) GDPR)”.

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and/or fulfilment of the obligations under the contract.

Recipients of personal data: information on opened accounts is provided to the State Tax Inspectorate under the Ministry of Finance of the Republic of Lithuania.

Objectives related to other services

Payment initiation, authentication of users/payers, customer and user support

For the purpose of payment initiation, authentication of users (payers) of the service, provision of services to customers of the payment initiation service and users (payers) of the service, we process the following personal data of the payers: name, surname, payer's account number, personal identification number, the purpose of the payer's payment, the payer's chosen institution for managing accounts, unique financial transaction number.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, contact details, position.

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR)”, “processing is necessary for the performance of a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)” and “controller's legitimate interest in the proper formation and performance of contracts (Article 6(1)(f) GDPR)”.

Data retention period: data shall be kept for a maximum of 3 years, except for exceptions provided for by law.

Recipients of personal data: in the case of the provision of payment initiation services, your personal data is passed on to the recipients of the transferred funds (i.e. the Company's customers whose goods or services you purchase).

Provision of the Account Information Service, authentication of users, servicing of customers and users

For the purpose of providing the Account Information Service, authenticating users of the Account Information Service, and servicing customers and users of the Account Information Service, we process the following personal data of the users of the service: name, surname, personal identification number, the institution that manages the user's accounts, the user's account number, and the selected account information.

If the contract is concluded with a legal person, we process the following personal data of the legal person's representative: name, surname, contact details, position.

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR)”, “processing is necessary for the performance of a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)” and “controller's legitimate interest in the proper conclusion and performance of contracts (Article 6(1)(f) GDPR)”.

Data retention period: data shall be kept for a maximum of 3 years, except for exceptions provided for by law.

Recipients of personal data: in the case of the provision of account information services, your personal data is transferred to the recipients of the funds transferred (i.e. the Company's customers whose goods or services you purchase).

Objectives relating to the prevention of money laundering and terrorist financing

Identification, implementation of the Know Your Customer (KYC) principle

For the purpose of the Know Your Customer policy, we process the following personal data of the Company's customers and their representatives: name, surname, date of birth, nationality, address, copy of the identity document, data contained in the identity document, data from the Customer and Beneficiary Recognition Questionnaire, method of identification, photo of the face and the identity document, data on payment through the bank account, value of the executed transactions, whether the person is politically exposed, risk group, limit of the amount to be invested, personal name, alternative names, reason for rejection of identification, date, time of identification, IP address, browser data, publication of the person's search, documents proving representation (in the case of a legal entity).

If the data subject has expressed the wish to use remote means of communication for the purpose of verifying his or her identity, we process the following personal data of the client and the client's representative: signature of the natural person or e-mail signature, image data (image, face of the data subject, identity document, time and date of the image transmission), first name, last name.

Legal basis for processing: “processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)”, “legitimate interest of the controller in the proper implementation of the Know Your Customer principle (Article 6(1)(f) GDPR)”.

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer. If the transaction has not been concluded and the reason for such refusal is not the implementation of measures to prevent money laundering and terrorist financing, the data shall be kept for 1 year.

Identification of the final beneficiary

For the purpose of identifying the final beneficiary, we process the following personal data of the final beneficiaries of the Company's clients: name, surname, personal identification number, date of birth, nationality, address, data from the client-beneficiary identification questionnaire (name, surname, share quantity, personal identification number).

Legal basis for processing: “processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)”.

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer.

Recipients of the personal data: the data may be transferred to the Financial Crimes Investigation Service (FNTT).

Monitoring and updating data on relationships

For the purpose of monitoring and updating the relationship, we process the following personal data of the Company's clients and beneficiaries: the data provided in the Client and Beneficiary Recognition Questionnaire (name, surname, number of shares, personal identification number), personal name, alternative names, share of rights in the legal entity.

Legal basis for processing: “processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)”.

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer.

Recipients of the personal data: the data may be transferred to the Financial Crimes Investigation Service (FNTT).

Monitoring suspicious cash transactions

For the purpose of monitoring suspicious monetary transactions, we process the following personal data of the Company's customers and beneficiaries: name, surname, monetary transactions or transactions carried out.

Legal basis for processing: “processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)”.

Data retention period: the data shall be retained for 8 years from the date of the end of the transaction or business relationship with the customer.

Recipients of the personal data: the data may be transferred to the Financial Crimes Investigation Service (FNTT).

Data submission to/from the loan risk database administered by the Bank of Lithuania

For the purpose of providing data to/from the loan risk database administered by the Bank of Lithuania, we process the following personal data of consumer credit borrowers: name, surname, personal identification number, terms and conditions of the consumer credit agreement, fulfilment of obligations, and overdue obligations.

Legal basis for processing: “processing is necessary for compliance with a legal obligation to which the Company is subject (Article 6(1)(c) GDPR)”.

Data retention period: the data is provided for the duration of the consumer credit agreement or for the duration of the contractual obligations.

Recipients of personal data: the Loan Risk Database (PRDB) administered by the Bank of Lithuania.

Purposes relating to the provision of personal data to third parties

Providing data to/from the systems administered by UAB “Creditinfo Lietuva” and the credit bureau system

For the purpose of providing data to/from the information systems and credit bureau systems administered by UAB “Creditinfo Lietuva”, we process the following personal data of the borrowers of consumer credits and persons who have been denied a consumer credit: name, surname, personal identification number, date of conclusion of the consumer credit agreement, amount of the consumer credit, interest rate, due date of payment of obligations, history of payments and delays, reasons for not granting the consumer credit.

Legal basis for processing: “legitimate interest of the controller in providing information and the interest of third parties in receiving information (Article 6(1)(f) GDPR)”.

Data retention period: the data is provided for the duration of the contract or until the obligations are fulfilled. Data on outstanding credit shall be provided once.

Recipients of personal data: consumer credit institutions or financial companies participating in the information system administered by UAB “Creditinfo Lietuva” and the credit bureau system.

Provision of KYC and identification data to financial institutions

For the purpose of implementing the Know Your Customer principle and for the purpose of providing personal data collected for the purposes of anti-money laundering and anti-terrorist financing to financial institutions, we process the following personal data of customers and investors: name, surname, personal identification number, copy of identity document, Know Your Customer questionnaire.

Legal basis for processing: “consent of the data subject (Article 6(1)(a) GDPR)”.

Data retention period: the data is retained until the moment the consent is withdrawn. The period of validity of the consent not withdrawn is as long as the data subject is a customer of the Company.

Recipients of personal data: financial institutions with which the Company has entered into agreements for the provision of personal data for the purposes of implementing the Know Your Customer principle and for identification purposes.

Provision of borrower information to investors

For the purpose of providing information about the borrower to investors, we process the following personal data of consumer credit borrowers: credit rating, number assigned in the borrower's system, credit amount, credit period, monthly payment, purpose of the credit, solvency information (income, existing financial obligations and types of obligations, length of employment, debt history), gender, age, place of residence (city), marital status, total family liabilities and total income (if not a personal loan), number of dependants, assets, education level.

Legal basis for processing: “legitimate interest of the controller and third parties to disclose sufficient information to the borrower and the investor in accordance with Article 25 of the Law on Consumer Credit of the Republic of Lithuania (Article 6(1)(f) GDPR)”.

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and fulfilment of the obligations under the contract.

Recipients of personal data: investors intending to grant consumer credit.

Objectives relating to debt recovery and administration

Debt prevention and administration

For the purpose of debt prevention (sending reminders to consumer credit borrowers, making automated calls) and administration, we process the following personal data of consumer credit borrowers' debtors: name, surname, address, amount of the debt, duration of the delay, date of payment, telephone number, email address.

Legal basis for processing: “legitimate interest of the controller in ensuring the proper performance of contractual obligations and the recovery of debts (Article 6(1)(f) GDPR)”.

Data retention period: the data are processed during the period of sending the reminders and until the recovery of the claim.

Recipients of personal data: contracted debt collection agencies (data processors).

Debt management and recovery

For the purpose of debt administration and recovery, we process the following personal data of clients and debtors: name, surname, personal identification number, date of birth, place of residence (address), telephone number, amount of debt, data necessary to assess the solvency of the debt, and the means of securing the enforcement of the claim.

Legal basis for processing: “legitimate interest of the controller and of third parties (investors) in the enforcement of obligations and the recovery of debts (Article 6(1)(f) GDPR)”.

Data retention period: the data shall be processed for the duration of the contract and for 10 years after the end of the contractual relationship and/or the fulfilment of the obligations, the recovery of the debt, or the conclusion of a certificate of impossibility to recover the debt.

Recipients of personal data: contracted debt collection agencies (data processors).

Judicial debt recovery

In order to ensure the fulfilment of creditors' claims and to protect the interests of the Company and third parties in recovering debts in court, we process the following personal data of debtors: name, surname, personal identification number, date of birth, place of residence (address), marital status, telephone number, amount of the debt, the data necessary to assess the solvency of the debt, the means of securing the claim.

In order to properly assess the debtor's solvency and administer the debt collection process, we may process debtors' health data in order to enable the debtor to fulfil his/her obligations and/or to defer payment in the event of illness. Consent to the use of the debtor's health data for this purpose shall be expressed by means of an affirmative act of providing the health data to the Company. Consent to the processing of health data is voluntary. If a person refuses to consent to such processing, he/she cannot provide the Company with the health data and therefore the Company cannot adjust the timetables for the fulfilment of contractual obligations, etc.

Legal basis for processing: “legitimate interest of the controller and of third parties (investors) in ensuring the performance of their obligations (Article 6(1)(f) GDPR)” and “data subject's consent (Article 9(2)(a) GDPR)”.

Data retention period: the data shall be processed for the duration of the contract and for 10 years after the end of the contractual relationship and/or the fulfilment of the obligations, the recovery of the debt, or the conclusion of a certificate of impossibility to recover the debt.

Recipients of personal data: contracted debt collection agencies (data processors), bailiffs, courts.

Assignment of a claim on a debt to other persons

Pursuant to Article 6.101 of the Civil Code (CC), we have the right to assign all or part of the claim to your debt to third parties in accordance with the procedure provided for in the CC. Your personal data (name, surname, personal identification number, contracts and the information contained therein and other necessary information) are transferred with the debt. Your consent as the debtor (data subject) is not required for such a transfer, but the original or new creditor will inform you of such a transfer of personal data.

The legal basis for the processing/transfer: “legitimate interest of the original and new creditors and the purpose of ensuring the performance of their contractual obligations for the recovery of debts (Article 6(1)(b) and (f) GDPR)”.

Other purposes of data processing

Maintaining and developing business relationships with partners

For the purpose of maintaining and developing business relations with business partners, we process the following personal data of business partners and their representatives: name, surname, position, workplace, address, telephone number, email address, physical or email signature.

Legal basis for processing: “controller's legitimate interest in ensuring the maintenance of business relations and the administration of contact information (Article 6(1)(f) GDPR)”.

Data retention period: the data is processed for 10 years after the end of the relationship with the business partner.

Administration of the user area (self-service)

In order to ensure the functionality and administration of the Consumer Zone, we process the following personal data of consumer credit borrowers, investors and representatives: name, surname, personal identification number, address, email address, telephone number, data of login to the platform (date, time, actions performed in the system), IP address.

Depending on the chosen login method, the Company may process the following personal data: personal identification number, security code assigned to identify the person (Smart-ID login), telephone number, security code assigned to identify the person (mobile signature login), and username, password, two-factor authorization (email login), activity history, and any data obtained from other sources.

Legal basis for processing: “processing is necessary for the performance of a contract or for pre-contractual steps (Article 6(1)(b) GDPR)” and “legitimate interest of the controller in the proper formation and performance of contracts (Article 6(1)(f) GDPR)”.

Data retention period: the data is retained for the duration of the contract and for 10 years after termination of the contract and fulfilment of the obligations under the contract.

Contact

General enquiries: info@neofinance.com
Data protection matters: asmensduomenys@neofinance.lt · +370 687 00300