1. Terms and definitions
Personal data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing of personal data – means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller – means the natural or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Joint-controller – two or more controllers who jointly determine the purposes and means of data processing. They have equal responsibilities for compliance with the obligations under the GDPR in ensuring the rights of the data subject are met, the data subjects are appropriately informed and there is designated contact point for data subjects.
Processor – means a natural or legal entity, public authority, agency or other body which processes personal data on behalf of the controller;
Third party – means a natural or legal entity, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Data subject – a person whose personal data is processed (e.g. client who is a natural person, website user or a contact person of a legal entity client).
Investor – a person who through our platform invests in pre-vetted, short-term, property-backed loans in Europe.
Investor data –natural person who has registered as user on the platform. When an investor is a legal entity, then the personal data is the name, ID number, date of birth, and contact data of a natural person related to that legal entity.
Borrower – a legal entity receiving finance to their real estate development project.
Borrower data – personal data of natural persons related to the borrower, including but not limited to the contact person, the managers and the beneficial owners of the borrower and any natural persons providing collateral for securing the financing transaction concluded with the borrower. Borrower data also includes loan guarantors data, who can be a legal (company) or a natural person. We ask for loan guarantors to make investments more secure for our investors
User – Estateguru’s investor or borrower. When investor or borrower is a legal entity, then contact data of natural person of that legal entity.
2. The controller
Estateguru can be a controller, joint-controller or processor in various personal data processes.
Estateguru OÜ is the controller for all investor and borrower data, for all data you have registered on our website, for all data we obtain through public registers or internet, for our supplier or partner personal data and for the data of website visitors.
Estateguru OÜ (registry code: 12558919)
Tartu mnt 2
We are joint-controller with Lemonway SAS in the payment processing for loans and investors based in Finland , Germany and Lithunia.
Lemonway SAS (registry code: 500 486 915)
8 rue de Sentier
3. Contact data of DPO
4. What type of personal data do we process?
We collect directly following personal data:
Identification data – first and last name, personal code and/or date of birth, age, language and profession;
Contact data –phone number, e-mail address, home address;
Authentication data – personal ID number and type, date of issue and validity of an identification document with a photo, gender and citizenship;
Compliance data – to apply know your customer, anti-money laundering and prevention of terrorism financing principles we conduct background checks when you join us and monitor your transactions once you are our client. The data we check, includes but is not limited to your residency data, profession, origin of funds used in transactions, qualifications or connections to politically exposed persons, and whether or not you are subject to international financial sanctions;
Transactions data – financial transactions made via the portal, user’s preferences of transaction profile types and user’s automatic lending placement settings;
Contract data – any contracts concluded by the user via the portal;
Bank account data – for natural persons account holder, account number, IBAN, Swift, name of the bank;
Payment services data – for natural persons name, surname, e-mail, date of birth, country of residence, nationality, proof of residence, copy of identification document and IP address used for registration, payer or recipient.
Loan guarantor data – identification and contact data, bank account data, proof of assets used in guaranteeing the loan.
Usage data – time and number of log-ins, including log-ins via Facebook, LinkedIn or other third-party service provider and log-in token.
Internet data – data on website visitors’ sessions, cookies, log data and IP addresses.
5. Purpose of processing and lawful base when processing your personal data?
Estateguru processes personal data to ensure performance of a contract, to comply with legal obligations, out of legitimate interest, or with data subject’s consent.
5.1 Data processing required for performance of a contract.
Data processing is necessary for performance of a contract concluded with you or for taking measures required prior to signing of the contract.
|Purpose of processing||Personal data categories|
|Investing||identification data, contact data, authentication data, compliance data, bank account data, transactions data, contract data, usage data and internet data|
|Borrowing (legal entity)||identification data, contact data, authentication data, compliance data, bank account data, usage and internet data|
|Registering on the platform||Identification data, contact data, Compliance data|
|Commencing investments||Bank account data|
5.2. Processing to fulfil legal obligations of EstateGuru
Legal obligations of processing include all personal data processing under relevant laws and regulations in all of our locations for example European financial sector regulations, accounting law or crowdfunding regulations. These laws and regulations mandate the type of data collected and data retention periods.
|Purposes of processing||Personal data categories|
|Compliance checks of borrowers||Contact data, identification data and compliance data|
|Accounting, payments to investors and to vendors||Identification data and contact data|
|Republic of Lithuania Law on Financial Institutions and The Finnish Crowdfunding Act||Identification and compliance data|
|Responding to public authorities’ and state institutions’ information requests||Contact data|
5.3. Data processing based on Estateguru’s legitimate interest
A legitimate interest means that data processing is necessary for our business purposes. We process personal data based on our legitimate interest only if we have conducted balance test to measure the impact of the processing on your privacy and data protection rights. You have a right to receive additional information about our or third-party legitimate interest and to object to the personal data processing. If you object to the processing of your personal data under our legitimate interests, we shall no longer process the personal data for that purpose unless we demonstrate compelling legitimate grounds for the processing. When you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
|Purpose of processing||Personal data categories|
|Investor updates of investment performance||Contact data, usage data and contract data|
|Investor profiling (see below)||Contact data, usage data, internet data and contract data|
|Suggesting investment targets to investors||Usage data and internet data|
|Borrower suggested loan guarantors to add additional security to a loan||Loan guarantor data|
We use different data processing technologies to process your data using mathematical analysis, statistics or other methods enable us to create investor profiles, establish probabilities and match you with suitable investment opportunities. The information received gives us an opportunity to evaluate and predict your preferences in investment and offer to you the investment options matching your expectations.
5.4. Data processing based on your consent
When processing personal data with consent as lawful basis we only process specifically what you have consented to. The consent is freely given, specific and informed. You can take back consent at any given time and as easily taken back as it was given.
|Purpose of processing||Personal data categories|
|Cookies (except for necessary cookies)||Internet data|
When you give consent you have a right to withdraw your consent at any time by contacting us at: firstname.lastname@example.org and we will delete the data we are processing based on your consent unless we also need the personal data for personal data processing activities conducted under other legal bases.
6. How to we collect your personal data?
We collect your personal data from the following sources:
- Directly from you;
- Indirectly from third parties such as public authorities, identity verification service providers;
- If you are a related person to our legal entity client (investor or borrower) such as a representative, a manager, an owner or a beneficial owner.
7. Who else processes your data in addition to Estateguru?
Inside our organisation your personal data is accessible only to those Estateguru employees who need the data to perform their work duties (on so-called need-to-know basis).
Outside Estateguru and strictly limited by necessity and pursuant to the purposes, Estateguru may transfer data to following categories of data processors who process personal data in the course of providing services to us:
- service provides such as (not a complete list and subject to change): IT maintenance service provider, server housing, e-mail server provider, website administrator, auditor, lawyers, institutional investors (such as banks, property developers etc.);
- if legally obliged, your data to public authorities and institutions (e.g. police, courts, alarm centre, Data Protection Inspectorate);
- banks, payment or e-money institutions providing payment transfer services to whom we transfer personal data related to payments to fulfil the agreement concluded between you and us or to apply prevention of money laundering and terrorism financing measures.
We have concluded a data protection agreement with our partners and recruiting companies to ensure secure processing of personal data. These contracts oblige the other parties to:
- take appropriate measures to ensure confidentiality and security of the personal and
- process personal data in compliance with legal requirements and the agreement.
We do not store or transfer your data outside the European Economic Area or to countries which the European Commission considers to have an adequate level of protection of personal data, except for cases described in chapter 8. If necessary, the transfer will only take place if we have a legal basis for it, in particular if we have concluded an agreement with the recipient which meets the requirements established in GDPR for the transfer of personal data outside the EEA and have applied other relevant measures to ensure the security of the transfer.
To ensure your privacy rights are protected, Estateguru abides by confidentiality principles and strictly limits disclosure of personal data.
8. Transfer to the third countries
A third country is a country other than the EU member state, EEA country or a country that doesn’t have European Commission adequacy decision. If you are our investor from Finland or Lithuania, we transfer your personal data to third countries to facilitate the payments. The payments are made via our joint-controller and their approved and vetted sub-processors.
9. How long do we retain your personal data?
Your personal data is retained for as long as required by legal requirements or until the purpose of processing is fulfilled. Below are some examples of data retention periods:
|Until withdrawal of consent for processing based on consent||We delete the data that we process solely under your consent immediately after you withdraw the consent.|
|5 years||The data we collect when applying measures for the prevention of money laundering and terrorism financing|
|7 years||All accounting base documents such as, base documents for transaction conducted via our platform (loan agreements, repayment schedules, invoices).|
|3 years (after expiry or termination of contract)||Identification data and contact data to protect us against potential claims or to file a claim for protecting ourselves and our own rights|
10. Security of your personal data
Estateguru employs necessary legal, organisational, physical and technical security measures to protect your personal data. Some examples of the measures we use:
Physical measures – the offices are locked and paper-based documents containing personal data are stored in locked cabinets.
Technical measures – computers are password protected and encrypted as necessary; firewalls and antivirus programmes are in use; backups are done regularly; all IT system users are assigned roles and profiles.
Organisational means – data protection, information security and access management policy; regular employee training, confidentiality requirements for employees.
11. Your rights concerning your personal data
11.1 You have the right to receive information what data we process about you. To receive a copy of what personal data we hold about you contact us on the e-mail below.
We have a legal obligation to make sure that a person requesting information about themselves is indeed the person who has the right to receive the data. For this reason, you may have to prove your identity or right to request the data.
11.2 You have the right to request deletion of your personal data. Please keep in mind that we cannot delete any data that we process to fulfil contractual or legal obligation.
11.3 You have the right to object to or restrict the processing of your personal data.
11.4 You have the right to data portability which means that if technologically possible we can forward your data in a digital format to other similar service.
To exercise the any of the abovementioned rights contact us at the contact data given in the point 3 of the Policy.
12. The right to submit a complaint to the Data Protection Inspectorate
In case you consider your privacy and data protection rights breached you have the right to lodge a complaint to a Data Protection regulator at locations where we operate.
A cookie is a small piece of data or message that is sent from an organisation’s web server to your web browser and is then stored on your hard drive. Cookies can’t read data off your hard drive or cookie files created by other sites, and do not damage your system.
However, you can reset your browser so as to refuse any cookie or to alert you to when a cookie is being sent. Web browsers allow you to control cookies stored on your hard drive through the web browser settings. To find out more about cookies, including what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org.
If you choose not to accept our cookies, some of the features of our site may not work as well as we intend.
|NID||.google.com||Advertisement||This cookie is used to a profile based on user’s interest and display personalized ads to the users.||6 months|
|_fbp||.estateguru.co||Advertisement||This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.||3 months|
|bscookie||.www.linkedin.com||Advertisement||This cookie is a browser ID cookie set by Linked share Buttons and ad tags.||2 years|
|_gcl_au||.estateguru.co||Analytics||This cookie is used by Google Analytics to understand user interaction with the website.||3 months|
|_gid||.estateguru.co||Analytics||This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.||1 day|
|_ga||.estateguru.co||Analytics||This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.||2 years|
|_hjFirstSeen||.estateguru.co||Analytics||This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.||30 minutes|
|__hstc||.estateguru.co||Analytics||This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).||1 year 24 days|
|hubspotutk||.estateguru.co||Analytics||This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.||1 year 24 days|
|G_ENABLED_IDPS||.estateguru.co||Functional||The cookie is used by Google and is used for Google Single Sign On.||7978 years 6 months 21 days 19 minutes|
|lang||.ads.linkedin.com||Functional||This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.||session|
|bcookie||.linkedin.com||Functional||This cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.||2 years|
|lidc||.linkedin.com||Functional||This cookie is set by LinkedIn and used for routing.||1 day|
|lang||.linkedin.com||Functional||This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.||session|
|__hssc||.estateguru.co||Functional||This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.||30 minutes|
|PHPSESSID||estateguru.co||Necessary||This cookie is native to PHP applications. The cookie is used to store and identify a users’ unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.||session|
|__hssrc||.estateguru.co||Necessary||This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.||session|
|org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE||estateguru.co||Other||This cookie is set by the provider Infoniqa engage, used for webforms in a website. The cookie stores the language for the application process.||10 years|
|sidebarClosed||estateguru.co||Other||No description||2 years 8 months 26 days|
|_dc_gtm_UA-47926272-1||.estateguru.co||Other||No description||1 minute|
|_ga_QB09HKY478||.estateguru.co||Other||No description||2 years|
|_hjid||.estateguru.co||Other||This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.||1 year|
|UserMatchHistory||.linkedin.com||Other||Linkedin – Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.||1 month|
|AnalyticsSyncHistory||.linkedin.com||Other||No description||1 month|
|li_gc||.linkedin.com||Other||No description||2 years|
|_hjIncludedInSessionSample||estateguru.co||Other||No description||2 minutes|
|_hjAbsoluteSessionInProgress||.estateguru.co||Other||No description||30 minutes|
|_gaexp||.estateguru.co||Performance||This cookie is used to determine a user’s inclusion in an experiment and the expiry of experiments a user has been included in.||2 months 2 days|