Privacy Policy

Antigua & Barbuda

INTRODUCTION

This Nexo Bank Privacy Policy (the "Privacy Policy") governs the privacy relations between you ("Client" or "you") and Nexo Bank Inc. ("Nexo Bank"), a company duly incorporated under the laws of Antigua and Barbuda, licensed by the Financial Services Commission of Antigua and Barbuda (FSRC), pursuant to the International Banking Act, as a Class I International Banking Institution bearing License number IB17385/23 ("Nexo Bank", the "Bank", "we", or "us") regarding how we collect, process, and protect your personal data as you access and use https://nexobank.com (the "Website" or the "Nexo Bank Website"). We encourage you to seek out and read the Privacy Policy to understand how the information that we collect about you is used and protected.

The Privacy Policy is reviewed regularly to ensure that any new services or updates, as well as any changes to our business model and practices are taken into consideration. We will alert you of material changes by, for example, placing a notice on the Website and/or by sending you an email. Your continued use of the Website after we make changes is deemed to be your acceptance of those changes, so please carefully review the Privacy Policy periodically for updates.

Definitions

Controller means Nexo Bank Inc., which may have the capacity of a personal data controller for the purpose of this Privacy Policy;
Personal Data means information in respect of commercial transactions, which (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a Data Subject, who is identified or identifiable from that information or from that and other information in the possession of a controller, including any sensitive personal data and expression of opinion about the Data Subject;
Data Subject a natural or legal person who is the subject of personal data;
Privacy Laws means any applicable local and international personal data protection legislation, including but not limited to the Data Protection Act, 2013 in Antigua and Barbuda and the General Data Protection Regulation (EU) 2016/679;
Processing means the collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including the (a) organisation, adaptation or alteration of personal data; (b) retrieval, consultation or use of personal data; (c) disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or (d) alignment, combination, correction, erasure or destruction of personal data.

Information We Collect

Nexo Bank may collect the following types of Personal Data during the pre-contractual process when you interact and communicate with Nexo Bank through any media or channel:

User-provided information:

Identification information: full name, personal identification number, date, place and/or country of birth, your picture and/or selfie, colour pictures of your identification document (passport, ID or driver's licence) - front and back; email address, PEP status (Politically Exposed Persons), statements of your social status or official position held, sanctions status, any other data allowing us to conduct due diligence in accordance with the requirements relating to anti-money laundering and prevention of terrorist financing;
Contact and communication information: permanent and current address, telephone number, social media profiles, tags and handles, messages in any social platform or communication channel or medium;
Labour status: occupation, industry, employment status;
Financial information: Data concerning your financial situation, profession, knowledge and experience in order for us to assess whether the services provided by us are suitable for you, your bank account number, source of funds, transaction history, assets in Nexo Bank;
Other information: any other information that you provide to Nexo Bank at your own discretion.

Information we collect automatically

When you visit the Nexo Bank Website, we automatically collect the following information:

Technical information, including the information about your device, information related to the network, software and the network connection with internet, information ensuring your access to the Website, type and version of your browser, setting of the time zone, type and version of the browser extensions, operating system and platform, screen resolution, geolocation, and font coding;
Information about your website visits, including full history of your visits from the Unified Resource Locator (URL) to, via or from the Website (including date and hour of such visits); consent given to any other applicable Nexo Bank policies and the Cookie banner; services which you searched for or have seen; forwarding/initial webpages; files you have seen on the Website (e.g. HTML pages, graphics, others), time for page answers, uploading mistakes of the webpage, access time for the different pages, information for the interaction of the webpage (like clicking or moving the cursor) and the ways for getting out of the page. For additional information, please see our Cookies Policy, available at the Nexo Bank Website;
Information generated by using the services of Nexo Bank.

Information we get from third parties

Nexo Banks gets information about you from third parties only in the context of account creation and verification, and during the regular due diligence processes, in compliance with its regulatory and statutory obligations. More information about third parties and our identity verification providers is available in Section VII - Third Parties.
Notwithstanding the above, Nexo Bank does not request and/or collect any Personal Data about you from third parties.

Please note that if you refuse to provide Personal Data when requested, especially where we need to collect it by law, or under the terms of a contract we have or are looking to enter into with you, we may not be able to perform the relevant contract, including the ability to offer or continue to provide our services to you.

Processing Purposes

Nexo Bank may process your Personal Data only in accordance with the applicable Privacy Laws and this Privacy Policy for the following purposes:

Identification and verification: to process your application and to provide services to you, as well as to verify your identity (this may also include the use of biometric technologies);
Transaction services: to accept and process orders, process payments, and communicate with you about orders, services, and promotional offers;
Recommendations and personalization: to personalise your experience and to allow us to deliver the type of content and service offerings in which you are most interested, including to save your preferences and login information, and to provide customised content;
Continuous improvement of the Nexo Bank Website: we use your Personal Data to provide functionalities on, analyse performance, fix errors, and improve the usability and effectiveness of the Nexo Bank Website; to maintain the quality and safety of our services; for internal quality control purposes including debugging to identify and repair errors that impair existing intended functionality; to identify and analyse service usage metrics and/or trends (e.g. pages visited, functions used, etc.) and for data analysis, including for research, audit, reporting or other business operation purposes;
Compliance with applicable legislation: in certain cases, we collect and use your Personal Data to comply with Privacy Laws and other applicable local and international industry laws and regulations;
Communication: we use your Personal Data to communicate with you in relation to your access to the Nexo Bank Website and for the provision of the Nexo Bank services, as well as for informing you regarding any changes to Nexo Bank, our services or our contractual relationship;
Fraud prevention: we process your Personal Data to monitor and detect security incidents, to protect against malicious, deceptive, fraudulent or illegal activity, including money laundering, terrorism financing and other criminal activities and hold those responsible for that activity;
Marketing purposes: we may use your Personal Data to send you marketing communications by email or other agreed forms (including social media campaigns), to ensure you are always kept up-to-date with Nexo Bank's latest products and services. Any marketing communications shall include an option to unsubscribe from the mailing lists;
Purposes for which we seek your consent: we may also ask for your consent to process your Personal Data for a specific purpose that we communicate to you. In such cases, when you consent to Processing for a specified purpose, you may withdraw your consent at any time, and we will cease Processing your Personal Data for that purpose;
For any other purposes arising from the activities listed above that are not prohibited by law.

Legal Basis for Processing

To achieve the purposes listed above, Nexo Bank collects and processes your Personal Data in a legitimate and transparent manner under the Privacy Laws, and namely:

for the purpose of concluding and/or implementing a contract with you;
to fulfil our obligations under the applicable legislation;
for the purposes of our legitimate interests, except when your interests and rights take precedence over Nexo Bank's legitimate interests; or
based on your consent, where necessary - in the event your consent is required, Personal Data Processing shall commence only after receipt of such consent.

Automated Decision Making and Profiling

Automated decision making is the ability to make decisions by technological means without human involvement. We use automated decision making, for example, because it:

allows greater consistency and fairness in the decision-making process (e.g., it helps reduce the potential for human error or discrimination);
enables delivery of decisions within a shorter time frame than a human-based process, improving the efficiency of the process;
reduces the risk of clients failing to meet loan repayments.

Automated decisions can be based on any type of data, for example:

data provided directly by the Data Subject to Nexo Bank or its identity verification service providers;
data observed about the Data Subject (such as location data collected via the Nexo Bank Website);
inferred or derived data;

Third Parties

Nexo Bank may disclose your Personal Data to other Nexo companies within the Nexo group for the purposes of providing our international banking services to you. We have undertaken all necessary measures to ensure that all Nexo companies handle your Personal Data with the same degree of care. We may also disclose your Personal Data to other selected third parties outside of the Nexo group – service providers for the performance of our contractual obligations with you, and for other purposes described in this Privacy Policy.

We may share your Personal Data with the following categories of external third parties:

Banking and payment network service providers to enable you to upload funds, make and receive payments and withdraw funds; these providers include banks, acquirers, alternative payment providers, card providers and account information service providers;
Providers of risk assessment and fraud detection, Know Your Customer checks (KYC), Anti-Money Laundering (AML), counter-terrorism financing services (CFT), and the Financial Action Task Force (FATF);
Online advertising platforms for the purposes of marketing;
Analytics and search engines providers that assist us in the improvement and optimisation of the Nexo Bank Website;
Cloud service providers who among other things provide us with the necessary infrastructure to safely store and manage your Personal Data;
Auditors, advisors, legal representatives, and similar agents in connection with the advisory services they provide to us, subject to the necessary confidentiality obligations;
Third parties at any time when we are legally required to disclose your Personal Data and your use of our services, which include but are not limited to competent law enforcement bodies, regulatory, government agencies, courts or other third parties (e.g., the police, the financial supervisory authorities, the tax and social security agencies). Such disclosure shall be subject to our good faith and belief that it is necessary to protect your safety or the safety of others, to protect our rights, to prevent and investigate fraud, or to respond to a government request.

You should also note that the Nexo Bank Website includes links to third-party websites, plug-ins, handles, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share your Personal Data. Nexo Bank does not control these third-party websites and is not responsible for their personal data processing activities. When you leave the Nexo Bank Website, we encourage you to read the privacy policy/notice of every third-party website you visit.

Transfers

When transferring Personal Data, we are committed to ensuring that the data importer maintains materially similar security measures for storage and Processing of Personal Data as we do. Your Personal Data may be processed, stored and transferred to third parties in the manner and scope as indicated in this Privacy Policy, the contract(s) concluded between you and us, and consents you give to us from time to time.

Locations outside your country of residence may be used for Processing (including storage) the data we collect about you. The information we transfer may be shared with our service providers. It may include such processes as processing a payment, data analysis (including fraud, risk, and compliance checks), collecting data on use of our websites and services, for advertising purposes (including behavioural advertising), or offering support for your service or product needs. We take all reasonable action to ensure the safety of your Personal Data in accordance with this Privacy Policy and applicable local and international legislation.

Direct Marketing

Subject to the applicable legislation, Nexo Bank may from time to time send direct marketing materials promoting its services and/or activities to its existing clients and Website users who have subscribed for updates. You may, at any time, opt out of such communications by utilising the marketing preferences centre provided with each direct marketing communication.

Data Security

Personal Data collected by Nexo Bank through the Nexo Bank Website or otherwise is kept on secure servers, hosted in a cloud environment in the EU. Nexo Bank uses security measures appropriate to the provision of the relevant international banking services, such as reasonable administrative, technical, personnel, and physical measures to protect your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We may use network safeguards such as firewalls and data encryption. In addition, we provide a limited need-to-know access to your Personal Data to those employees, agents, contractors, and other third parties who require access to fulfil their legal obligations. They will only process your Personal Data on our instructions, and they are subject to a duty of confidentiality. Those with access to your Personal Data are carefully screened, periodically re-evaluated, and are required to keep all your Personal Data confidential.

In the event of a security breaching leading up to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your Personal Data as transmitted, stored or otherwise Processed by Nexo Bank, we shall inform you, without undue delay, where that Personal Data breach is likely to result in a high risk to your rights and freedoms in order to allow you to take the necessary precautions. Any actual personal data breach will also be reported to the relevant data protection authorities.

Storage and Retention

Personal Data is stored for variable periods of time depending on the category of Personal Data and its usage:

Some information might be deleted automatically based on specific schedules or via script upon request. If you have opted out of receiving marketing communications, we will hold your email address on our suppression list so that we know you do not want to receive these communications;
Other data, such as account information, might be retained for a longer period based on the contract you have with us, in accordance with relevant industry standards or guidelines, and in accordance with our legitimate business interests, including prevention of promotion abuse and similar activities;
We might further retain information for business practises based on our legitimate interest such as product and service improvement, fraud prevention, record-keeping, in the event of complaint or enforcing our legal rights;
We might have to retain a certain set of Personal Data to comply with our audit, reporting and other legal requirements (including but not limited to the FATF recommendations, the applicable legislation in Antigua and Barbuda governing Nexo Bank's operations as an International Bank, and the relevant Anti-Money Laundering and Combating the Financing of Terrorism legislation).

Your Rights

Depending on the jurisdiction you access the Nexo Bank Website from, your residency, or your citizenship, you may have one or more of the following Data Subject rights. Upon receipt of your requests at the contact details provided below, Nexo Bank shall reply without undue delay and within the applicable statutory deadlines (as a rule of thumb, thirty (30) days extendable by two further months unless otherwise provided for by any other applicable Privacy Laws).

List of Rights:

Access – you have a right to obtain confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, access to information about the Processing, including the purposes of the Processing, the categories of Personal Data, the recipients of the Personal Data, and its retention period.
Rectification – you have the right to correct inaccurate Personal Data and/or complete incomplete Personal Data.
Deletion/Erasure – you have the right to request erasure of Personal Data (the right to be forgotten). Nexo Bank shall take reasonable steps to inform any other controllers also Processing the data of your request to have your Personal Data deleted, however, we may not always be able to comply with your request of erasure for specific legal reasons which are set out in Section XI above .
Restrict Processing – you have the right to restrict the Processing of Personal Data, under certain circumstances.
Portability – you have the right to data portability to:
- receive a copy of the Personal Data in a structured, commonly used and machine-readable format;
- transmit the Personal Data to another data controller (including directly by another data controller where possible).
Object to Processing – you have the right to object to Processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.
Object to automated decision making – you have the right to not be subject to automated decision making, including profiling, which has legal or other significant effects on you.
Withdraw consent – you may, at any time, withdraw your consent to Nexo Bank's Processing when the Processing is based solely on your consent.

To help protect your privacy and security, we will take reasonable steps to verify your identity before granting access to your Personal Data. We will make reasonable attempts to promptly investigate, comply with, or otherwise respond to your requests as may be required by any applicable laws. Depending upon the circumstances and the request, we may not be permitted to provide access to Personal Data or otherwise fully comply with your request; for example, producing your information may reveal the identity of someone else. We reserve the right to deny your requests, at Nexo Bank's sole discretion, where they may be manifestly unfounded or excessive, or otherwise unacceptable under any applicable laws.

Please note that any request with regards to Personal Data, which is publicly available, should be submitted directly to the third-party supplier of the information.

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we reserve the right to charge a reasonable fee if your request is manifestly unfounded or excessive.

Contact Us

We value your opinion, if you have any comments or questions about this Privacy Policy, Nexo Bank's handling of your Personal Data, a possible Personal Data breach, or to exercise your rights, please send an email to [email protected]. Nexo Bank will treat your requests or complaints confidentially.

Please include the following information in your email:

Full name;
Preferred communication channel (if none selected, default is email);
Country of residence and access;
If a request to exercise your rights, the type of your request (access, portability, deletion, etc.);
Detailed description of the request.

If you do not think we have been able to resolve your complaint, you can lodge a complaint directly to the data protection authority in Antigua and Barbuda.

Miscellaneous

Our services are not directed to persons under the age of 18 (eighteen) years old or of legal age to enter into contractual relations with Nexo Bank (whichever is later) hereinafter referred to as "Children" or "Child", and we do not knowingly collect or process the Personal Data of Children. If we learn that we have inadvertently gathered Personal Data from a Child, we will take legally permissible measures to remove that information from our records. Nexo Bank will require the user to close his or her account and will not allow the use of our services.

If you are a parent or guardian of a Child, and you become aware that a Child has provided Personal Data to us, please contact us at [email protected] immediately.