Vespia OÜ, previously known as KYB Platform OÜ, (hereinafter we) is an Estonian company offering digital solutions for verifying and onboarding legal entities with the aim to minimise the risk of fraud and stay compliant with AML regulations (hereinafter service).
Vespia is a B2B company, meaning that most of our clients are other companies. Therefore, in these privacy terms, we explain how the personal data of contact persons and representatives of our clients and visitors of our website (hereinafter you or users) is processed when using our services or visiting our website.
The terms and conditions on how Vespia process the data (including personal data) uploaded to or created when using our services by our clients are regulated in our Terms and Conditions (hereinafter T&C) and the Data Processing Agreement (hereinafter DPA) between us and our client – in such case, our client is in the position of the data controller and Vespia acts as the data processor.
For a better understanding, we hereby explain some data protection terms used herein.
GDPR means the General Data Protection Regulation (EU) 2016/679), implementation of which started on 25 May 2018, and which is directly applicable in all European Union member states.
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing means any operation or set of operations that are performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller means the entity that decides why and how the personal data is processed.
Processor means the entity which processes personal data on behalf of the controller.
Registration code: 16017942
Seat: Maardu city, Harju County, Estonia
The type of personal data we collect and process
Vespia collects different types of information when you use our services. As we are a B2B business, we collect your data through the use of our services and process your personal data to communicate with the client (i.e. the company on whose behalf you act) for the provision of services. This means that the processing of your personal data is based on our legitimate interest – you are the representative via whom our client communicates with us and vice versa.
Information collected from the user. The users of Vespia service usually provide us with the following data: first and last name, e-mail address, geographic area, position in the company (i.e. our client), language preferences, preferred services, industry in which the company (i.e. our client) operates. This information is provided when signing up as a user of our services, when using our services via the web, when giving us marketing permission to receive messages from us, when giving us feedback or leaving us a message to contact you, or otherwise getting in touch with us.
When you are not a user of our services but visit our website and/or public areas of service you also may provide us with some limited personal information like your first and last name, e-mail address, company you are working for, etc.
Information collected automatically. If you use our services as a user or visit our website, we may automatically record certain information from your device by using different technologies such as cookies and web beacons. The data automatically collected may include IP addresses (to determine a user’s location, and perform statistical/ demographic/ usage analysis), information about browsers and user's device, browsing activity across different sites, pages, or other content you view or interact with on the service, dates and times of the visit, access, or use of the service.
Information obtained from other sources. We may also obtain information (incl. personal data) from public sources, such as commercial/trade registers, the internet, and from third parties, such as credit registers, for background and credit information analysis.
Information processed through the use of our service by the client. When using the services, our clients (the companies you represent/work for) upload and process various data (e.g. data of their customers, partners, suppliers, merchants, investors, or another legal or natural person whom the client wishes to verify via using of the service) through our services. In such a case, the personal data is under the control of our client and Vespia may process such personal data for the purposes and to the extent necessary to provide the services ordered by the client in accordance with T&C and DPA. Hence, in such a situation, Vespia acts as a data processor and processes the personal in accordance with the data processing agreement concluded with the client.
Purposes and legal basis for the use of personal data
As explained above, we mainly use your data for the rendering of the services which the client has ordered from us and for communicating with the client you represent. Doing that we use the data obtained for (i) our business operations (operating, maintaining, improving the features of our services, communicating with clients), (ii) business development (analysing usage statistics, preferences, trends for development of new services and products), (iii) marketing (news and offers relating to our services and products). You may always opt-out of receiving any marketing communications as described below under Your rights section.
The legal basis for doing this is our legitimate interest – we need to communicate with a legal person and if you act as representative of one, we assume that there is a balance of interest and we do not conflict with your interests, rights, and freedoms. In case the processing of the personal data is based on legitimate interest, the data subject always has the right to object to such processing. If you do object, we will inform our client asking to provide us with a new contact person or otherwise comment on your objection.
In connection with your work or area of responsibility, we may from time to time send you direct marketing offers and notices, for example, if your employing company is our customer or if you have previously subscribed to our services as a representative of your company. Such direct marketing activities are also carried out based on our legitimate interests. If you receive such direct marketing messages from us, you always have the right to opt out by clicking the opt-out link at the end of the message.
Sharing of your data
With Vespia, your personal data is accessible only to those employees who need the data to perform their work duties (on a so-called need-to-know basis). Outside Vespia, we may share your data with the following persons under the following circumstances and only to the extent required:
✔ Persons providing services to us: Your data may be accessible by the persons providing services to us and processing your data on our behalf (data processors) and to the extent needed to perform such services. These include providers of hosting, maintenance, invoicing, marketing, data analytics, and development services.
✔ Public authorities and state institutions (e.g. police, courts, data protection authorities): we will only disclose your data when and to the extent we are legally obliged to do it.
✔ Third parties in connection with legal processes (e.g. legal, financial advisers): we may share or disclose your data if it is necessary to protect our property and rights (incl. present legal claims for that purpose), enforce our contracts, defend ourselves against any third-party claims.
✔ Third parties in connection with corporate transactions: We may share your information with third parties in the context of a corporate transaction, such as the sale of our company or issuing new shares to investors or sale of company's business/assets to another company. Also, in the context of the creation of a joint venture, merger, or other reorganisation.
As a rule, your personal data is processed in the European Economic Area (EEA). However, if there is a need to transfer the data out of EEA, we follow GDPR requirements regulating such transfers.
Retaining of personal data
We retain your data for as long as necessary for the purposes of processing described in these privacy terms and to comply with any mandatory legislation:
✔ we will retain the user account data as long you are an active user and for up to 1 year of inactivity;
✔ we are legally obliged to keep invoicing data and the documentation which it is based on for 7 years;
✔ we keep information on legal transactions between us and our client for the statutory limitation period set for civil claims (3 years, 10 years in case of intentional breach) to be able to protect ourselves against any legal claims and to file legal claims for our protection.
In addition, we may process the data in an aggregated or anonymised format, for example for analysis and statistical purposes and to improve and develop our services.
Right to access – you have the right to know which data we hold about you (if any).
Right to data rectification – you have the right to require corrections to your personal data in case they are inaccurate or incomplete.
Right to data deletion – you have the right under certain conditions to request the deletion of your personal data including in situations where the processing of your personal data is no longer necessary for the purposes for which it was collected, or if the processing of your personal data was based on your consent and you wish to withdraw your consent, and there are no other grounds for processing your personal data.
Right to restrict processing – you have the right under certain circumstances to forbid or restrict the processing of your personal data for a certain period (e.g. you have submitted an objection concerning data processing).
Right to object – You have the right to object to data processing which is based on our legitimate interest. Vespia will stop processing your personal data upon such objection unless we can demonstrate compelling legitimate grounds for the processing or processing is needed for the establishment, exercise, or defense of legal claims. You also have the right to object at any time to the processing of your personal data for direct marketing. Upon receiving such an objection, we shall stop processing your personal data for direct marketing.
In order to exercise your rights, please send your respective inquiry to firstname.lastname@example.org. We have the right to respond to your query within 30 days.
For the sake of clarity, the provisions of this Section 6 do not apply to personal data that Vespia processes on behalf of its clients. In this case, the personal data is controlled by the client and managed according to the client's privacy terms. Hence, all data subject's requests should be made to the client liable for uploading and storage of such data into the service.
The right to submit a complaint to a supervisory authority
Should you need further information concerning your personal data or exercising your rights, you have the possibility to contact us at email@example.com.
If you believe that processing of your personal data breaches the requirements of the GDPR, you have the right, without prejudice to any other administrative or judicial remedy, to file a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Estonia, the relevant supervisory authority is Data Protection Inspectorate (Andmekaitse Inspektsioon).
Amendments to these Privacy Terms
Vespia has the right to unilaterally change these privacy terms in the event of changes in personal data protection legislation or our own data processing practices. We will notify you of changes on our website. The latest version of the privacy terms is always available on our website https://kybplatform.com/