Privacy Policy

PRIVACY POLICY
Effective from 04 06 2024

This Privacy Policy applies to all customers of First Digital Trade Europe UAB, a company registered in the Republic of Lithuania with 306129492 registration number and registered address at Kaykyos 18-10 01100 Vilnius, Lithuania ("Royal Card", "CartaReale.com", "we", "us", "our"). Please read it carefully before providing us with any information about yourself. The protection of your personal data is of paramount importance to us and we are committed to treating it with the utmost care and security.

1. Introduction

This policy demonstrates our commitment to transparency and the protection of your privacy rights and sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us. It applies to the processing of personal data by First Digital Trade Europe UAB, in relation to:

Please note that our Services, Site and Apps are not intended for children under the age of 18 and we do not knowingly collect data relating to minors. For feedback or any privacy requests, please contact us using the details provided at the end of the policy. In order to use our services, you must agree to the terms and conditions of this Privacy Policy in its entirety.

We are committed to:

• keep your personal data private and secure;
• not to sell the customer's personal data;
• allow the customer to manage and review their marketing choices at any time.

2. Who we are

The company First Digital Trade Europe UAB is the data controller. The data controller is the legal entity that determines the means and purposes of any processing activity it performs.

2.1. Data Protection Officer

We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing applications in relation to this Privacy Policy. If you have any questions or complaints regarding this Privacy Policy or our privacy practices, or if you wish to exercise your legal rights, please contact our DPO at compliance@firstdigitaltrade.com.

 

2.2 Privacy Complaints

You have the right to lodge a complaint with a supervisory authority about the way we process your personal data. If you reside in an EEA (European Economic Area) Member State, you have the right to lodge a complaint with the supervisory authority in the EEA Member State of your habitual residence, place of work or place of the alleged infringement, or with the Lithuanian Data Protection Authority (Personal Data Protection Commission).

We would, however, appreciate the chance to address your concerns before you approach a data protection regulator. So don't hesitate to contact us in the first instance.

3. Purpose

This Privacy Policy is intended to provide you with information about why and how we collect and process your personal data. It intends to inform you about your privacy rights and how the data protection principles set out in the EU's General Data Protection Regulation ("GDPR") and post-Brexit privacy law (known as the UK's GDPR) protect you.

This privacy policy is intended to be read in conjunction with other notices or policies that we may provide at specific times when we collect or process your personal data. This will help you fully understand why and how we use your data. This privacy policy supplements other notices and policies, not replaces them.

4. Personal Data We Collect

"Personal data" means any information about you that can be used to identify you. This data can be:

• Contact information: postal address, phone number, email address.
• Identification data: first and last name, date of birth, gender, identification documents (passports, identity cards, driving licenses, biometric characteristics)
• Customer Activity Information: Use of the Real Card to make purchases.
• Financial data: bank account details, payment card details.
• Technical data: IP address, browser type and version, time zone settings, operating system and platform.
• Usage Data: Information about how you use our Site, Services, and Apps.
• Marketing and communication data: marketing preferences, survey responses.

4.1. Origin of the data

We collect your personal data from a variety of sources, including:

• Direct interactions: when you provide data by filling in forms on our site, or by communicating with us by phone, email or otherwise.
• Automated interactions: when we automatically collect technical data through the use of cookies and similar technologies when you use our site.
• Third parties or public sources: when we obtain data from fraud prevention agencies, business partners, and public sources.

 

5. Data security

We take appropriate technical and organizational measures to protect your personal data against loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures include:

• Use of encryption technologies to protect data during transmission.
• Implement strict access controls to systems and data.
• Continuous staff training on data protection.
• Regularly monitoring and reviewing our security practices to address new threats and vulnerabilities.

6. Your rights 

You have rights that we need to make you aware of. The rights available to you depend on the reason for which we process your personal data. If you need more detailed information or wish to exercise any of the rights set out below, please contact us.

• Right of access: You have the right to request a copy of the personal data we hold about you.
• Right to rectification: You have the right to request the rectification of inaccurate or incomplete data.
• Right to erasure: You have the right to request the erasure of your personal data in certain circumstances (e.g. when the personal data is no longer needed or you withdraw your consent). 
• Right to restriction of processing: You have the right to request the restriction of the processing of your personal data.
• Right to data portability: You have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format.
• Right to object: You have the right to object to the processing of your personal data on legitimate grounds (e.g. if we process your data to improve our services, you can object if you believe that the processing is not justified in your particular case).

6.1. Exercising Your Rights

To exercise your rights, you can contact us using the contact details provided in the "Contact Us" section of this policy. We kindly ask you to provide the following information to facilitate us in processing your request:

• your full name and contact details;
• a clear and precise description of the right you wish to exercise;
• A copy of a valid ID to verify your identity (e.g., ID card, passport).

We will respond to your requests within one month of receiving your request, as required by the General Data Protection Regulation (GDPR). In exceptional cases, this period may be extended by a further two months if the request is particularly complex or if we receive numerous requests. In that case, we will inform you of the extension and the reasons for the delay within one month of receiving your request.

We do not charge a fee for exercising your rights, unless the request is manifestly unfounded or excessive. In such a case, we may charge a reasonable fee based on the administrative costs incurred or refuse to comply with your request.

7. Consent Processes

We will only use your personal data when applicable legislation allows us to do so. In other words, we need to make sure we have a legal basis for such use. Most commonly, we will use your personal data in the following circumstances:

• Performance of a contract: We use this basis for the provision of our Services.
• Legitimate interests: our interests (or those of a third party), where we ensure that we use this basis to the extent that your individual interests and rights do not override those interests.
• Compliance with a legal obligation: processing your personal data where it is necessary to comply with a legal obligation to which we are subject.
• Consent: a free, specific, informed and unambiguous indication of your will by which, by a statement or by a clear affirmative action, you express your consent to the processing of personal data concerning you.

8. Collection of your information

At Carta Reale, transparency is essential in the processing of users' personal information. For this reason, we would like to provide you with a clear explanation of how we collect and use your personal data.

8.1. Collection Methods

We collect your personal information in a number of ways, including:

• Direct interactions: When you request or use our services, you register to use our website or applications, or interact with us via phone, email, online chat, or other communication channels.
• Automated means: When we collect information automatically when you visit our websites through the use of cookies and other similar technologies. For more details on the cookies used and their purposes, please read our Cookie Policy.

All information collected is treated in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We ensure that personal data is collected only for specified, explicit and legitimate purposes, and processed in a lawful, fair and transparent manner.

8.2. Sources of Collection

In some cases, we may also obtain information about you from third parties, such as credit reference agencies or fraud prevention systems. In such situations, we ensure that we comply with data protection regulations and ensure that your rights are adequately protected. For more information about third parties, please see Section 12 ("Third-Party Services Used") of this Policy. 

 

8.3. Processing of Non-Personal Information

In addition to personal information, we may also collect and use non-personal information or anonymize personal information in order to make it non-identifiable. This non-personal information may be used for business purposes, such as trend analysis and optimization of our services.

8.4. IP Address Management

If IP addresses are considered personal information under applicable local laws, we will treat them as such and handle them in accordance with this Privacy Policy.

8.5. Application to Consumers and Companies

This Privacy Policy applies to both individual consumers and businesses. Regardless of your use of our Services, Websites, or Apps, we are committed to treating your personal information with the utmost respect. We ensure that your privacy rights are adequately protected in accordance with the General Data Protection Regulation (GDPR) and other applicable laws.

9. Categories of Personal Data

Depending on how you use our Services, Website or App, we may collect, use, store and transfer different types of personal data about you. We've broken this data down into the following categories:

Category of Personal Data	Specific Examples of Personal Data	Purpose of the Processing	Legal Basis for Processing
Identity Data	First name, last name, date of birth, gender, etc.	Management of user accounts, provision of services, personalization of the user experience, verification of the user's identity.	Performance of a Contract, Legitimate Interest
Social Identity Data	Company data, connections, etc.	Service Delivery, Risk and Compliance Assessment, Service Improvement, Personalization of Offerings.	Legitimate Interest, Consent
Contact Information	Email address, phone number, etc.	Communications with users, notifications regarding services, customer support, direct marketing (with consent).	Performance of a Contract, Consent
Financials	Bank details, payment card details, etc.	Payment processing, invoicing, transaction management, fraud prevention.	Performance of a Contract, Legal Obligations
Transactional data	Transaction details, source of funds, etc.	Invoicing, transaction monitoring, service improvement, legal compliance.	Performance of a Contract, Legitimate Interest
Technical Data	IP address, internet connectivity data, etc.	Site performance analysis, site security, user experience personalization, anonymous statistics.	Legitimate Interest, Consent
Profile Data	Username, password, preferences, feedback, etc.	Personalization of the user experience, user account management, communications with users.	Performance of a Contract, Consent
Usage Data	Information about site usage, interaction time, etc.	Trend analysis, site optimization, service improvement, personalization of offers.	Legitimate Interest, Consent
Marketing and Communication Data	Marketing preferences, survey responses, etc.	Sending marketing communications, personalizing offers, conducting market research.	Consent
Biometric and due diligence data	Facial data, biometric data.	Verification against the documents provided, unique identification of the account holder. Processed and stored by Sumsub. More information in Annex 1.	Legal obligation (European PSD2 Law)

 

 

9.1. Special Categories of Personal Data

Certain types of sensitive personal data are subject to additional protection under the legislation applicable to you. This data is commonly known as "special categories" of personal data and includes:

• Personal data revealing racial or ethnic origin.
• Political opinions.
• Religious or philosophical beliefs.
• Trade union membership.
• Genetic and biometric data processed for the purpose of uniquely identifying a natural person.
• Health-related data.
• Data concerning a natural person's sex life or sexual orientation.

As a rule, we do not collect sensitive personal data. However, if necessary, such as for the use of biometric data, we obtain your explicit consent and inform you in advance of the purpose of the collection of such data. Biometric data, such as fingerprints or facial recognition, is used solely to improve security and ensure the authenticity of logins. For further details on the biometric data used, please read Annex 1 of this Policy.

9.2. Refusal to Provide Personal Data

If we are required by law or under the terms of a contract to collect your personal data and you refuse to provide it, we may not be able to perform the contract we have or are trying to enter into with you. This may result in the inability to provide you with the Services you have requested. In such circumstances, we may need to cancel a product or service you have with us. We will inform you promptly if this happens.

10. How we use your personal data 

We use the information we collect about you for a variety of purposes, including:

• Provision of Products and Services: We use your personal data to provide you with the products and services you have requested, ensuring the proper performance of the contracts entered into between you and us.
• Important Notices: We notify you of any changes to our products or services and improve them based on feedback received.
• Account Management: We manage your account and monitor your use of our services to ensure the security and quality of the service.
• Service and Customer Support: We communicate with you to answer your questions, provide customer service and support, and alert you to potential issues or updates.
• Personalized Offers: We provide you with information about other products or services that we think may be of interest to you, based on your previous use or stated interests.
• Financial Assessment and Fraud Prevention: If you use our financial services, we use your information to assess your financial situation and prevent fraud or abuse of the financial system.

11. Use of Personal Data for Marketing Purposes

Direct Marketing

We may use your identity, contact, technical, transactional, usage and profile data to form an opinion about what we think may be of interest to you or you may need. This helps us decide which products, services, and offers might be relevant to you.

Legal Basis for the Processing of Marketing Data

• Consent: You will receive marketing communications from us if you have requested information, consented to receive marketing communications, or if you have purchased from us and have not opted out of receiving such communications. We will only use your marketing and communication data if we have obtained your explicit consent.
• Legitimate Interests: In some cases, we may use your personal data for marketing purposes based on our legitimate business interests, and we do not override your rights and freedoms.

Consent for Direct Marketing

We will ask for your explicit consent to use your personal data for direct marketing purposes. This consent can be given, for example, by ticking a checkbox when registering or during other interactions with us. You can withdraw your consent at any time by contacting us via the details provided in the "Contact Us" section of this Policy or by using the opt-out links in our marketing communications.

Data Subject's Rights Relating to Direct Marketing

You have the right to:

• Objection: You may object at any time to the processing of your personal data for direct marketing purposes. Once you have exercised this right, we will no longer process your personal data for such purposes.
• Withdrawal of Consent: You can withdraw your consent at any time without having to give a reason. This will not affect the lawfulness of processing based on consent before its withdrawal.
• Access and Rectification: You can access your personal data used for marketing purposes and request that it be rectified if you believe it is inaccurate.

11.1. Third-Party Marketing

We will obtain your explicit consent before sharing your personal data with third parties for marketing purposes. We will not share your data with any third party unless you have expressly consented to such sharing.

If you decide that you no longer wish to receive marketing communications from us or from third parties with whom we have shared your data (with your consent), you can exercise your rights by contacting us directly or by using the opt-out links provided in each marketing communication.

Our Site, Apps, and applicable web browsers may include links to third-party websites, plug-ins and applications ("Third-Party Sites"). By clicking on such links or enabling those connections, it is possible for third parties to collect or share data about you. We do not control these Third-Party Sites and are not responsible for their Privacy Notices and policies. When you leave our Site or Apps, we encourage you to read the Privacy Policy of each Third Party Site you visit or use.

12. Third-Party Services Used

To provide specific features of our products and services, we use the following third-party services. Your privacy is important to us, and we are committed to ensuring that all personal data shared with these Services is treated in accordance with applicable privacy laws:

• Intercom: Used for chat and customer support, answering your questions, and providing assistance. To view the Privacy Policy please use this link: https://www.intercom.com/legal/privacy . 
• Sumsub: Used for KYC (Know Your Customer) to ensure security and regulatory compliance. To view the Privacy Policy please use this link:  https://sumsub.com/privacy-notice-service/ . 
• HubSpot: Used as a CRM (Customer Relationship Management) to manage customer contacts and communications. To view the Privacy Policy please use this link:  https://legal.hubspot.com/privacy-policy . 
• SendGrid: Used as an email processor to manage email communications with our users. To consult the Privacy Policy use this link: https://sendgrid.com/en-us/resource/general-data-protection-regulation-2 . 
• Twilio: Used as an SMS service for important communications and SMS notifications. To view the Privacy Policy please use this link: https://www.twilio.com/en-us/legal/privacy/website . 
• Firebase: Used for user authentication to ensure secure access to our services. To view the Privacy Policy please use this link: https://firebase.google.com/support/privacy?hl=it . 
• Google Cloud: Used for certain features and data storage. To consult the Privacy Policy use this link: https://cloud.google.com/privacy . 

These services are essential to support various functions of our products and services. 

We encourage you to read the respective privacy policies of these services to understand how they treat your personal data. Sharing data with these providers is strictly necessary to provide and improve our services, and we are committed to only working with providers who maintain high standards of data protection.

13. Use of your personal data for Other Purposes

We will only use your personal data for the purposes for which we collected it, unless we reasonably believe that we need to use it for another reason compatible with the original purpose. If you would like an explanation of how the processing for the new purpose is compatible with the original one, please contact us.

14. Sale or Transfer of Business

We may need to process your personal data during trading or in connection with any merger, financing, acquisition, bankruptcy, dissolution, transaction or proceeding involving all or a portion of our stock, business or assets. Such processing will be based on our legitimate interests in executing the transaction or to comply with our legal obligations.

15. Disclosure of Personal Data

We will not disclose your personal information to anyone, except as described in this policy. We may share your personal information with other companies in our Group or with our business partners. Your personal information (e.g., full name and email address) may be shared with the recipient/sender of a payment in the context of the specific relevant transaction. This may involve transferring your personal data outside of the European Economic Area (EEA) or the United Kingdom.

We may share your personal information with third parties to provide you with our products and services, including service providers, credit reference agencies, and financial institutions. We may also share your personal information with regulators and third parties to prevent crime, reduce risk, respond to legal proceedings, investigate violations of business terms, or protect the rights and property of Carta Reale, our customers, or others.

16. International Data Transfers

The information we collect may be transferred to, stored and processed in countries outside the European Economic Area (EEA). These countries may have different data protection standards than those in your country of residence. However, we are committed to ensuring that your data is treated securely and in accordance with applicable data protection laws.

Credential Security

If we have provided you with (or have chosen) a password, access code, or any other secure means of accessing parts of our site, it is important that you keep these credentials confidential. Don't share them with anyone. You are responsible for the activities that occur under your credentials and authorize Carta Reale to act on the instructions and information received from anyone using your credentials.

Security of Data Transmission

The transmission of information via the Internet is not completely secure. We will do our best to protect your personal information, but we cannot guarantee the security of any data transmitted to our site. Once we receive your information, we will take strict measures and security features to prevent unauthorized access.

17. Data Retention

We only retain your personal data for as long as necessary to achieve the purposes for which we collected it. To determine the appropriate shelf life, we consider various factors, including:

• Quantity, nature and sensitivity of data: We assess how sensitive and relevant the data we have is.
• Potential Risk: We consider the risk of harm resulting from unauthorized use or disclosure of data.
• Purposes of processing: We only keep data for as long as it is necessary for the purposes for which we process it.
• Available alternatives: We check if we can achieve the same goals with different methods.
• Legal requirements: We comply with laws that require us to retain data for specific periods.

Here are some examples of how we apply these principles:

• Complaint management: We retain data to handle any complaints.
• Possibility of litigation: We retain data if we think it may be necessary to defend against possible legal claims.
• Legal obligations: We comply with specific regulations, such as EU and UK anti-money laundering regulations, which require us to retain data for 5 years after the end of the relationship.
• Audit & Compliance: We retain the data needed for audit and compliance purposes.
• Abuse prevention: We retain data to prevent abuse during and after our promotions.

You have the right to ask us to delete your personal data under certain conditions. Please see the section on your legal rights for more information. We will only comply with your request for deletion if it meets the conditions set out in the law.

18. Use of Cookies

We use cookies and similar technologies to improve your experience on our Services and Site. Cookies are small data files that are sent to your browser from a web server and stored on your device. These cookies allow our Site to function properly and help us better understand how users interact with our Site and Services.

You can set your browser to refuse all or some cookies, or to alert you when websites set or access cookies. However, if you disable or reject cookies, please be aware that some parts of our Services or Site may become inaccessible or not function properly.

We use different types of cookies:

• Strictly Necessary Cookies: These cookies are essential for the operation of our Site and Services. Without them, some services may not be available.
• Performance cookies: These cookies allow us to monitor and improve the performance of our Site. For example, they help us understand which pages are most popular and how visitors navigate the Site.
• Functionality cookies: These cookies allow us to remember your preferences and provide enhanced functionality. For example, they can be used to remember your language preferences.
• Targeting cookies: These cookies are used to deliver advertisements that are more relevant to you and your interests. They can also be used to limit the number of times you see an advertisement and to measure the effectiveness of advertising campaigns.

We take appropriate security measures to protect the data we collect through cookies and other similar technologies. By using our Site and Services, you consent to the use of cookies in accordance with our Cookie Policy.

For more information about the cookies we use and how to manage them, please see our Cookie Policy: cookie policy link 

19. Updating the Privacy Policy

We reserve the right to update this privacy policy from time to time. Any changes will be posted on this page, and if the changes are significant, we will notify you by email or other appropriate means. We encourage you to review this policy regularly to be aware of any updates.

20. Contact Us

If you have any questions or requests regarding this privacy policy or would like to exercise your rights, you can contact us at:

• E-mail: compliance@firstdigitaltrade.com.
• Postal: