Privacy Policy
Privacy policy

1. GENERAL PROVISIONS

1.1. Inrem finance, CJSC (org. Inrem finance, UAB), a company established and operating in accordance with the laws of the Republic of Lithuania, whose main activity is the provision of loans to business, respects Your privacy and protection of personal data, therefore pays special attention to the security of processed personal data.

1.2. This privacy policy regulates the processing of personal data of website users and (or) clients and (or) potential clients by both automated and non-automated means carried outby Inrem finance, CJSC as a data controller.

1.3. By visiting Inrem finance, CJSC website and (or) using the information contained therein and (or) using the services provided by Inrem finance, CJSC and (or) contacting regarding provision of services, You confirm that You have read, understood and agree with the terms prоvided in this privacy policy. Also, by concluding a loan and (or) other services agreement with Inrem finance, CJSC, this privacy policy becomes an integral part of the agreement.

1.4. If You do not agree with this privacy policy or its individual terms, Inrem finance, CJSC will unfortunately not be able to provide You with access to all or any of the services provided by the company.

1.5. Please read carefully and also acquaint current and (or) future authorized representatives, the persons You represent, the beneficiaries and other persons who are in any way related or may be related to the services provided by Inrem finance, CJCS with this privacy policy.

1.6. Inrem finance, CJCS notes that this privacy policy is a general document. For personal data processing information, please contact the contacts listed in Section 12 of the privacy policy.

1.7. Inrem finance, CJSC processes personal data in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, the Law on Legal Protection of Personal Data of the Republic of Lithuania and other applicable legal acts as well as this privacy policy. In the event of any inconsistency between the law and the provisions of this privacy policy, the provisions of the law shall prevail.

1.8. Inrem finance, CJSC has the right to unilaterally change the provisions of this privacy policy at any time by publishing a new version of the privacy policy on the website. The new version of the privacy policy takes effect upon its publication on the website. The privacy policy is reviewed at least every 1 (one) year.

2. CONCEPTS AND DEFINITIONS

2.1.Key concepts and definitions used in the present privacy policy:

2.1.1.personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2.1.2.data subject means a natural person whose data is processed (e.g., a user of a website or a client‘s, which is a legal entity, contact person, representative, beneficiary, etc.);

2.1.3. processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2.1.4. processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

2.1.5. controller means Inrem finance, CJSC, which determines the purposes and means of processing Your (data subject‘s) personal data, as they are defined in the present privacy policy. The controller is also referred to as the "Company" in this privacy policy; records of processing activities means a document recording the purposes of the Company‘s data processing activities, data subjects, data recipients, data deletion deadlines and other required or significant information on data processing activities. Records of processing activities are also referred to as "ROPA“ in this privacy policy;

2.1.6. privacy policy means this Company‘s privacy policy, which sets out the main purposes, scope, sources, recipients, cookie policy and other aspects of the processing of personal data (hereinafter referred to as the "Privacy Policy");

2.1.7. regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the "Regulations"). The Regulation may be accessed by clicking this link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from.

2.2.Other terms used in this Privacy Policy should be understood as defined in the Regulation, the Law on Money Laundering and Terrorist Financing of the Republic of Lithuania, the Law on Financial Institutions of the Republic of Lithuania and other relevant legal acts.

3. PRINCIPLES OF PROCESSING OF PERSONAL DATA

3.1. Your personal data are processed in accordance with the following principles:

3.1.1. lawfulness, fairness and transparency, which mean that personal data are processed in a lawfully, fairly and in a transparent manner;

3.1.2. purpose limitation, which means that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;

3.1.3. data minimisation, which means that only personal data that are adequate, relevant and only necessary for the purposes for which they are processed are collected;

3.1.4. accuracy, which means that personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

3.1.5. storage limitation, which means that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

3.1.6. integrity and confidentiality, which means that personal data are processed in such a way as to ensure adequate security of personal data through appropriate technical or organizational measures, including protection against unauthorized or unlawful processing and against unintentional loss, destruction or damage;

3.1.7. accountability, which means that the Company is responsible for compliance with the Privacy Policy statements provided in Articles 3.1.1.-3.1.6 of this Privacy Policy and must be able to confirm that they are complied with.

4. LAWFULNESS OF PROCESSING PERSONAL DATA

4.1. The Company processes personal data only on at least one of the grounds set out in Article 6 (1) of the Regulation. In most cases, the Company processes personal data in accordance with at least one of the following grounds of lawfulness:

4.1.1. with the consent of the data subject (Article 6 (1) (a) of the Regulation). If personal data are processed on the basis of the data subject's consent, the Company processes only those specific personal data for which consent has been obtained and only for the purpose (-s) for which those data were provided. The data subject has the right to withdraw his consent at any time. Withdrawal of consent must be as easy as giving it. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 14 (fourteen) years old;

4.1.2. the processing of personal data is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract(Article 6 (1) (b) of the Regulation). Pursuant to this clause, the Company processes personal data when the contractual and (or) pre-contractual obligations assumed to the data subject cannot be fulfilled without have certain personal data;

4.1.3. the processing of personal data is necessary to fulfill legal obligations on the controller(Article 6 (1) (c) of the Regulation). The Company is obliged to process personal data in order to implement legal requirements established, for example, in the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania;

4.1.4. the processing of personal data is necessary for the legitimate interests of the controller or of a third party, unless such interests of the data subject or fundamental rights and freedoms necessitating the protection of personal data take precedence over them(Article 6 (1) (f) of the Regulation); While carrying out its activities, the Company faces a number of challenges, therefore it is often necessary to take measures to ensure its (in certain cases – third parties) rights and legitimate interests. It is difficult to define in advance the specific legitimate interests in the protection of which the Company processes personal data, but most often it is related to legal protection in various dispute resolution institutions, fulfillment of contractual obligations (when the data subject is not a party), improvement of the Company's services.

5. PURPOSES AND SCOPE OF PERSONAL DATA PROCESSING

5.1.1. The main purposes of using personal data processed by the Company are:

Identification of the client and the beneficiary, provision of financial services (granting of loans).

Personal data are processed on the basis of the legal obligations applicable to the financial service provider established in the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania, the Law on Financial Institutions of the Republic of Lithuania and other legal acts regulating financial services (granting loans). It should be noted that the Company must establish the identity of the customer, the beneficiary before the establishment of business relations, i.e. until the conclusion of the loan agreement.

Lawfulness: Article 6 (1) (c) of the Regulation.

Personal data that may be processed for the specified purpose: name; surname; personal code; date of birth; citizenship; address of declared place of residence, address of residence; e-mail address, telephone number; IP address; face photo; payment account number; data of the identity document and a copy of this document; data on the temporary residence permit and a copy of this document;

position held; information on whether the person and (or) close family members and (or) close assistants are going or in the last 12 (twelve) months. held important public positions in Lithuanian, EU, international or foreign institutions; information on whether the person is not included in the list of persons subject to international sanctions; details of the power of attorney and a copy of this document; other personal data that the Company must process in order to achieve the above purposes.

5.1.2. Fulfilment of other pre-contractual and contractual obligations.

Personal data shall be processed in order to properly and timely execute the contract already concluded and (or) to perform the actions necessary for the conclusion of the contract. The Company notes that the submission of an application via the website and (or) in other ways is treated as a request to enter into a contract. The Company also notes that for this purpose the Company processes personal data both in cases where the party to the contract is a data subject and in cases where the data subject is not a party to the contract but the processing of his / her personal data is necessary for the performance of the contract in order to implement legitimate interest of the Company and (or) third party. If, in accordance with the provisions of the applicable legal acts, the Company is subject to and (or) incurs a legal obligation to process additional data, personal data shall be processed to the extent, for the purposes and in accordance with the procedure required by legal acts.

Lawfulness: Article 6 (1) (b) of the Regulation; Article 6 (1) (f) of the Regulation.

Personal data that may be processed for the specified purpose: name; surname; e-mail address; telephone number; payment account number; other data specified in the contract and (or) submitted during the performance of the contract necessary for concluding and (or) implementing the contract.

5.1.3. Providing information related to services upon request

Upon receipt of the request, the Company has a legitimate interest in providing accurate and relevant information related to the services provided.

Lawfulness: Article 6 (1) (f) of the Regulation.

Personal data that may be processed for the specified purpose: name; surname; age; e-mail adress; telephone number.

5.1.4. Marketing.

For this purpose, personal data is processed in order to submit proposals on the services provided by the Company, as well as to conduct surveys related to the Company and the services provided by it. By this Privacy Policy, You acknowledge that You are aware that provided and below indicated personal data may be processed for direct marketing purposes. The Company notes that You have the right at any time and without giving reasons or motives to refuse or withdraw your consent to the processing of personal data relating to you for direct marketing purposes, in accordance with Section 9 of the Privacy Policy.

Lawfulness: Article 6 (1) (a) of the Regulation.

Personal data that may be processed for the specified purpose: name; age; e-mail address; telephone number.

5.1.5. Administration, processing and execution of data subjects' requests.

The Company processes the data subjects' data in order to ensure the data subjects' rights set out in the Regulation. This purpose includes processing of personal data for the purpose of administering, examining, executing requests, providing answers and taking other actions necessary to exercise the rights of the data subject.

Lawfulness: Article 6 (1) (c) of the Regulation.

Personal data that may be processed for the specified purpose: name; surname; address of declared place of residence, address of residence; e-mail address, telephone number; data of the identity document and a copy of this document; data on the temporary residence permit and a copy of this document; other personal data that the Company must process in order to achieve the above purpose.

5.1.6. Improvement of the provided services.

Personal data are processed in pursuit of the Company's legitimate interest in order to to improve technical and organizational measures; to ensure the adaptation of the provided services to the used equipment; to increase satisfaction with existing services; to test and improve technical means and IT infrastructure.

Lawfulness: Article 6 (1) (a) of the Regulation; Article 6 (1) (f) of the Regulation.

Personal data that may be processed for the specified purpose: IP address; operating system version; settings of the device that is used to access Company’s content, services; time and duration of login session; search query terms entered through Company’s website; any other information stored in cookies (for more information about cookies check Section 11).

5.1.7. Protection of the Company's rights and legitimate interests in courts and other dispute resolution bodies and institutions.

Personal data are processed by the Company in order to exercise and (or) protect its (in certain cases - third parties) rights and legitimate interests in courts, other dispute resolution bodies, responsible institutions and bodies. The processing of personal data for this purpose includes, but is not limited to, debt management, the provision of documents for debt recovery, the submission of documents for legal or other professional advice, the submission of claims and other pre-trial and procedural documents.

Lawfulness: Article 6 (1) (f) of the Regulation.

Personal data that may be processed for the specified purpose: all the above-mentioned personal data, as well as documents sent to the data subject and their annexes, the amount of indebtedness, documents sent or submitted by the data subject and / or third parties (e.g. notaries, bailiffs, lawyers, heirs, etc.) and their annexes, procedural documents containing personal data, etc.

6. STORAGE PERIOD

The Company stores personal data to the extent necessary to achieve the stated purpose. Upon reaching the set goal, personal data are deleted, except in cases when the Company is obliged to store information by other legal acts and (or) personal data may be necessary for the performance of pre-trial investigation.

Personal data is generally stored for as long as the contractual relationship may give rise to reasonable claims or to the extent necessary to implement and protect the legitimate interests of the Company. In most cases, when the data subject stops using the services of the Company, personal data is stored for another 10 (ten) years, taking into account the general limitation period established by the Civil Code of the Republic of Lithuania.

After the expiration of the retention period, personal data are deleted in such a way that it cannot be reproduced.

7. PERSONAL DATA PROVIDERS

The Company, taking into account the basis of lawfulness of personal data processing and the purpose of processing, collects personal data from the following sources:

directly from the data subject;

from legal entities;

credit and other financial institutions and (or) their divisions;

state registers;

non-state registers;

personal document data verification databases (for example, Invalid personal document databases, etc.);

credential verification registers (such as the notarised credentials registry and other databases);

companies managing joint debtors' data files (for example, in Lithuania CJSC Creditinfo Lietuva or others);

companies maintaining registers of international sanctions;

state institutions and bodies (for example, the State Tax Inspectorate);

law enforcement agencies;

other sources.

8. RECIPIENTS OF PERSONAL DATA

The Company ensures that personal data will not be provided or otherwise transferred to third parties without a legitimate basis or used for purposes other than those for which they were collected. However, in certain cases, when it is necessary for the provision of services, required by law or necessary to implement the legitimate interests of the Company, personal data may be provided to third parties.

The Company has the right to transfer personal data to processors that process personal data in accordance with the personal data processing purposes and instructions set by the Company. The processors must have the necessary technical and organizational security measures. When concluding an agreement with the data processor, the Company specifies, among other things, that the data processor must ensure the confidentiality of data transmitted by the Company for processing, and intends to obtain the prior written consent of the Company.

Personal data processed by the Company may be provided to data recipients who, after the transfer of data, process personal data for independent purposes and not in accordance with the Company's instructions. In this case, personal data are provided if such an obligation is provided by law, with the consent of the data subject, on other grounds of legality (e.g. execution of contractual obligations protection of rights and legitimate interests of the Company and others).

The provision of personal data to the recipient must be necessary to achieve the purpose for which the data were processed prior to the collection of the data, or there must be an appropriate legal basis for processing and providing the data for a new purpose. The Company may (or is obliged to) to disclose personal data to following entities (the list is not exhaustive):

data processors;

data processors;

banks and other undertakings providing payment services;

legal, audit and other professional service providers;

debt collection service providers;

companies processing consolidated debtor files (e.g. in Lithuania, UAB "Creditinfo Lithuania" or other);

other carefully selected buisiness partners (if necessary);

courts, pre-trial investigation bodies, prosecutors, etc.;

notaries, bailiffs.

If the Company provides personal data to countries outside the European Economic Area, the Company ensures that one of the following security measures is applied:

the recipient of the personal data is established in a country which is recognized by the European Commission as having adequate data protection standards ("Adequacy decision“);

the contract signed with the data recipient is based on the Standard Contract Terms approved by the European Commission;

in the case of personal data transfer between group of undertakings, the rules binding on group of undertakings shall apply;

permission has been obtained from the State Data Protection Inspectorate;

the consent of the data subject to the transfer of personal data outside the European Economic Area.

9. RIGHTS AND ENFORCEMENT OF RIGHTS OF THE DATA SUBJECT

Data subjects have the following rights set out in the Regulation:

Data subjects have the following rights set out in the Regulation:

the right of access to data;

the right to request the rectification of data;

the right to erasure ("right to be forgotten");

the right to restrict data processing;

the right to data portability;

the right to object to the processing.

The Company notes that the rights of data subjects are not absolute and may be limited. This concerns in particular the right to erasure ("right to be forgotten"). This right does not apply if, for example, the personal data requested to be deleted are processed in order to fulfill a legal obligation and (or) to protect the legitimate interests of the Company and (or) the processing is necessary for the performance of the contract.

Data Subject in order to implement rights stipulated in Article 9 (1) of the Privacy Policy has the right to submit an application to the Company in the following ways:

by e-mail info@inrem.org;

by registered mail to Kareiviu str. 6 - 504, Vilnius, Republic of Lithuania

by logging in to the client's account on the Company's website;

upon physical arrival at the Company's office, at the address Kareiviu str. 6 - 504, Vilnius, Republic of Lithuania by prior arrangement of the date and time of the visit.

The data subject's request must contain the following information:

data enabling the identification of the data subject;

actions requested;

personal data in respect of which such action is requested;

supporting documents for representation (if applicable);

supporting documents for information and / or data (if applicable).

If the request is submitted by e-mail, it must be signed using electronic signature; If the application is submitted by registered mail, a signed original of the application and a copy of the identity document, certified by a notary or other procedure established by legal acts, are required; If the request is submitted physically upon arrival, the data subject must submit the original of the identity document or a copy of the identity document certified by a notary or other procedure established by legal acts; If the request is made after logging in to the client's account on the Company's website, the Company has the right (but not the obligation) require additional verification in one of the above-mentioned ways. A sample application form is provided in Appendix No. 1 to this Privacy Policy.

If the data subject wishes to express his or her disagreement and (or) revoke the consent to the processing of personal data for direct marketing purposes, it may be done in one of the ways established in the Articles 9.3.1.-9.3.4 providing data specified in Articles 9.4.1.-9.4.4 of the Privacy Policy. In this case, Article 9 (5) of the Privacy Policy does not apply, unless the Company has reasonable doubts about the identity of the data subject.

Upon receipt of the data subject's request for the processing of personal data, the Company shall register it in the logbook dedicated to the registration and administration of the requests submitted to the Company related to the processing of personal data “Personal data Processing Logbook” (Annex No. 2 to the Privacy Policy).

Upon receipt of a data subject's request regarding the illegality or dishonesty of his / her data processing, the responsible person of the Company immediately checks the lawfulness and dishonesty of personal data processing and, upon receipt of a written request, checks / verifies the compliance of personal documents with legal requirements, immediately destroys illegally and fraudulently collected personal data or suspends such processing, except storage. The information provided by the data subject and all further actions performed with this information are documented in the “Non-Compliance Tracking Log” (Annex No. 3 to the Privacy Policy). The Company examines the data subject's request and informs the data subject about the actions taken upon receipt of the request within 1 (one) month from the date of receipt of the request and the required documents / information. This period may be extended by a further 2 (two) months, if necessary, depending on the complexity and number of applications. The Company shall inform the data subject of such extension within 1 (one) month of receipt of the request identifying reasons for the delay.

The data subject shall be informed and the response and data shall be provided in the form in which the request was made, unless the data subject's request specifies information to be provided in another form. The Company reserves the right to provide information in the manner of its choice, if the provision of information in the form provided / requested by the data subject requires significant financial and / or time costs.

The data subject has the right to apply to the supervisory authority - the State Data Protection Inspectorate, company code 188607912, address A. Juozapaviciaus str. 6, 09310 Vilnius; tel. (8 5) 271 2804, 279 1445, fax. (8 5) 261 9494, e-mail ada@ada.lt

10. RECORDS OF PROCESSING ACTIVITIES

The Company must compile and manage the ROPA, which are necessary for the Company to have constant and up-to-date information on the scope of its data processing activities, the persons participating in it, and the processing tools used and other neccesary information.

When managing ROPA, the Company follows the recommendation “On records of data processing activities” prepared by the State Data Protection Inspectorate (for more information: https://vdai.lrv.lt/lt/naujienos/valstybine-duomenu-apsaugos-inspekcija-parenge-rekomendacija-del-duomenu-tvarkymo-veiklos-irasu).

Data activity records are internal documents of the Company that may contain confidential information and therefore cannot be disclosed and must be kept in the same manner as other confidential information of the Community.

11. COOKIES

Cookies are small text files that a website stores on Your computer, mobile device, tablet or on other smart devices when You visit it . Cookies are used to help You browse websites and perform certain functions efficiently. You can find more information about these technologies and how they work, for example, at allaboutcookies.org.

The Company's website https://inrem.org/ may use essential, functional, performance-enhancing, targeted or promotional cookies. Cookies required for the operation of the website (essential cookies) are mandatory, as the website cannot function properly without them. The Company may use these cookies without Your consent.

Other cookies will only be stored on Your device if You consent to their use. The Company notices that without consent to the use of all cookies, some functions of the website may not work or may not work properly.

With the help of computer settings You can edit the settings for the use of cookies, i. e. delete (block) cookies or part of them. In order to refuse or block cookies, You must change Your browser settings.

Personal data collected with the help of cookies is stored until the consent is revoked, and if the right to revoke the consent is not exercised or, in the case of necessary cookies, until the expiry of the specific cookie.

12. CONTACT DETAILS

All questions, documents and information related to this Privacy Policy can be sent to the following contacts:

Controller Inrem finance, CJSC (org. Inrem finance, UAB)

Legal entity code 305571479

Registered office address Kareiviu str. 6-504, Vilnius

Office address Kareiviu str. 6-504, Vilnius

Internet site https://inrem.org/

Tel. No. +370 61695480

El. Mail adress info@inrem.org

Register Register of Legal Entities of Respublic of Lithuania

Representative Director Andrey Ryabtsev

The Privacy Policy was approved on 07-05-2021 by Inrem finance, CJSC Director’s Order No. IF(V)-21/05/07-1

Last reviewed 07-05-2021

Kareiviu str. 6, Vilnius, LT-09117