The privacy of customers personal data is important to Xolo. This Policy describes the rules according to which Xolo processes the personal data of any person using the Xolo’s website https://www.xolo.io/es-es, mobile apps and any services offered by Xolo.
General Definitions Xolo
Service provider who needs to process customer’s personal data for the provision of service:
- XOLO BUSINESS SPAIN, S.L.U, Muntaner 239, atic 08021 Barcelona con CIF: B-67817262
- Affiliate of the service provider whose company information is provided in the respective service agreement
This Policy applies to Personal Data Processing where Xolo acts as a Controller. Any personal data Processing conducted on behalf of the Customer or his legal entity is subject to an additional data processing agreement signed between Xolo and the legal person controlled by the Customer.
Personal Data being collected
Xolo Processes the following Personal Data about the Customer:
- Personal Details – full name (surname and given name), gender, personal identification code, date of birth, nationality, contact postal address, e-mail address, mobile phone number, bank where the personal bank account exists;
- Identification Data – data retrieved from the copy of a passport, such as document number, issue date, expiry date and issuing entity, photo, URL of a Portfolio or LinkedIn profile;
- Verification Data – data which Xolo collects for the purpose of conducting Customer due diligence under applicable anti-money laundering laws and the financing of terrorism -in particular, Law 10/2010 of April 18 on the prevention of money laundering and financing of terrorism
- Background Data – data Xolo collects and Processes for the purpose of conducting Customer adverse media checks via open sources;
- Profile Data – Customer’s Google profile data, such as name, e-mail address, language preference and profile picture;
- Payment Data – data concerning payments for Xolo’s Service and state fees, such as account number (IBAN), account holder name, bank name, transaction details.
- Business related Data – in the course of providing Go Service Xolo collects and Process data concerning the field of activity the Customer wishes to act via virtual company, in the course of providing certain Services Xolo collects and Process the business description provided by the Client;
- Device Data – information regarding the device on which the Customer is using the Xolo’s website/app, including the device’s model, name or any other identifier and the IP address;
- Preference Data – Customer’s preferences in the Xolo’s website/app;
- Customer Support – Data – communication between Xolo and the Customer (inquiries submitted via the website, email, social media or chat);
- Usage Data – data about Customer’s interaction in Xolo’s website/app.
Sources of Personal Data collection
Majority of Customer’s Personal Data Processed by Xolo is collected directly from the Customer. However, Xolo may collect Customer’s Personal Data also from third party sources, such as databases of financial sanctions and people subject to international financial sanctions and databases of politically exposed people. Some of these databases are publicly available and some of them are not.
Purposes for collecting and Processing Customer's Personal Data
Personal Data collected by Xolo is Processed for the purposes established in the law or as described herein, including but limited for the following purposes:
- Contractual Purpose – Xolo needs to Process Customer’s Personal Data in order to enter into service agreement with the Customer and to provide Service to Customer;
- Compliance Purpose – Xolo needs to Process Customer’s Personal Data in order to perform obligations under applicable laws, such as to comply with anti-money laundering requirements, and combat fraud, ensure the fulfilment of international financial sanctions, comply with the lawful inquiries and orders of public authorities with whom Xolo is obligated to cooperate;
- Analytical Purpose – Xolo needs to Process Customer’s Personal Data in order to manage, analyse and improve the Service, website and app;
- Marketing Purpose – Xolo needs to Process Customer’s Personal Data in order to send relevant promotional information to the Customer about Xolo services and the related offerings by third parties we work with, if the Customer has granted an explicit consent to use his/her Personal Data for this purpose;
- Personalization Purpose – Xolo needs to Process Customer’s Personal Data in order to personalize the Service and the content provided to the Customer;
- Communication Purpose – to contact the Customer for administrative purposes such as customer service, address technical or legal issues related to the Service provided, or share updates and notifications about the Service;
Xolo shall not use Customer's Personal Data for any other purpose incompatible with the purposes outlined above or required, permitted or authorized by law. Customer is not subject to statutory obligation which obligates Customer to provide Personal Data described herein to Xolo. The collection of certain Personal Data referred herein may be required under the law and/or inevitably necessary for the provision of service to the Customers (such as data necessary for the verification of the Customer). Failure to provide data may result in adverse consequences, such as, Xolo’s inability to comply with our obligations under law. The Customer is welcome to ask for clarifications regarding the obligation to submit any specific Personal Data and also about possible consequences arising from the failure to provide the Personal Data.
Automated decision making
Xolo is providing Xolo certain Services for the Customers active in the certain field of activities. Not all fields of activities are supported by Xolo’s services. Xolo is using automated decision making in the pre-contractual Processing in order to establish sufficiently whether the Customer is eligible to use Xolo’s services. Automated decision making refers to a decision which is taken solely on the basis of automated Processing of Customer’s Personal Data. This means Processing using, for example, software code or an algorithm, which does not require human intervention
During onboarding process, the Customer is being asked for the field of activity of the service provided in course of using Xolo’s services. The automated decision making is necessary for entering into agreement with Xolo. The automated decision making is used in order to accept or reject the Customer’s application to enter into a service agreement with Xolo. In case the field of activity which the Customer wishes to act is not supported by Xolo’s services, then the Customer’s application will be rejected. Upon rejection, Xolo will inform the Customer by e-mail about the reasoning for rejection. The Customer is entitled to request human intervention or object to the decision by contacting Xolo.
Legal grounds for Processing
Xolo is relying on the following legal grounds when Processing Customer’s Personal Data:
- Processing is necessary for the performance or entry into a contract between Customer and Xolo (GDPR article 6 (1) (b)) whose terms and conditions will be made available to the Client prior to a possible contract. In order to carry out this requested professional relationship, the interested party is obliged to provide their data;
- Processing is necessary for compliance with a legal obligation to which Xolo is subject (GDPR article 6 (1) (c)). Xolo is Processing Personal Data for Compliance Purpose under legal obligations to which Xolo is subject to;
- Processing is necessary for the purposes of the legitimate interests pursued by Xolo (GDPR article 6 (1) (f)). Xolo is Processing Personal Data for Analytical or Personalization Purpose under legitimate interest;
- Customer has granted a consent to the Processing of his Personal Data (GDPR article 6 (1) (a)). Xolo is Processing Personal Data for Marketing Purpose under Customer’s consent.
Transfer of the Personal Data
Xolo may transfer Customer's Personal Data to third parties, such as:
- legal and regulatory authorities (e.g. commercial register) whom Xolo is obligated to disclose Customer’s Personal Data under the law;
- server hosts who host Xolo’s servers;
- identification service providers who help Xolo verify Customer’s identity and acquire Verification Data;
- communication service providers who facilitate e-mails, calls, SMS messages and other communication between Xolo and the Customer;
- customer support and customer management service providers;
- marketing service provider;
- Xolo’s partner bank who providing banking services to the Customer or to the legal entity controlled by the Customer or any other financial service provider;
- Xolo’s affiliate. i.e. any company that directly or indirectly controls Xolo; any company that is directly or indirectly controlled by Xolo; or any company that is controlled, directly or indirectly, by the ultimate parent company of Xolo. Control shall mean owning more than fifty percent of the voting rights in a company or otherwise having the power to govern the financial and the operating policies or to appoint the management of a company;
- other parties involved with the provision of Xolo’s Service (accountants, auditors, lawyers, IT systems suppliers and support, or any other outsourcing providers).
Xolo has taken steps to ensure that these data recipients protect the confidentiality and security of Personal Data, and to ensure that Personal Data is Processed only for the provision of Service and in compliance with applicable law.
Such third parties may be located in countries outside of the European Economic Area ("EEA") whose privacy regulations may differ and which are not subject to adequacy decisions of the European Commission. In those countries the security of the Personal Data (inc. protection against misuse, unauthorized access, disclosure, alteration or destruction) may not be ensured as it is secured in the European Union, due to the lack of adequate data protection level.
For example, Xolo may transfer Customer's Personal Data to the US, in which case Xolo shall ensure that the recipient of the Personal Data has adopted standard data protection clauses adopted by a control authority and approved by the Commission, or has adopted codes of conduct, together with binding and enforceable commitments from the controller or processor in the third country to apply adequate guarantees, including those relating to the rights of the interested persons, or certification mechanisms, together with binding and enforceable commitments of the person in charge or the person in charge of the treatment in the third country to apply adequate guarantees, including those relating to the rights of the interested persons.
When transferring collected Personal Data outside of the EEA, Xolo shall ensure the application of the appropriate safeguards. If the Customer wishes to receive a copy, please contact us as instructed below.
Xolo will take appropriate legal, organisational, and technical measures to protect Personal Data consistent with applicable privacy and data security laws. Security measures shall be applied in order to protect Personal Data from involuntary or unauthorized Processing, disclosure or destruction. Upon transferring Personal Data to third parties, Xolo will apply the following safeguards:
- Xolo enters into a data processing agreement with the relevant third party;
- Xolo makes sure that such third party undertakes to implement appropriate technical and organizational measures ensuring the Processing of Customer’s Personal Data in accordance with this Policy and applicable law;
- Xolo makes sure that (a) the third party is established in a jurisdiction which the European Commission has recognized as ensuring an adequate level of personal data protection, or (b) the Processing of Customer’s Personal Data is subject to other appropriate safeguards stipulated in the GDPR.
Integrity and retention of the Personal Data
Xolo will retain Personal Data for the period required or permitted by applicable law, but no longer than it is reasonably necessary in order to achieve the purposes for which the Personal Data was collected. Xolo takes reasonable steps to ensure that the Personal Data we Process is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described herein.
Customer's rights in regarding to the collection of Personal Data
Customer has the following rights in relation to the Processing of his Personal Data:
- Request information - Xolo has provided all information which the Customer has right to receive in this Policy. The valid version of the Policy is available in Xolo’s website at any time.
- Right to access - Customer has the right to ask Xolo to provide a copy of Customer’s Personal Data which Xolo Process.
- Right to Rectification - Customer has the right to ask Xolo to rectify Personal Data in case the data is incorrect or incomplete.
- Right to Erasure - Customer has the right to ask Xolo to erase Personal Data, unless Xolo is obliged to continue Processing Customer’s Personal Data under law or under a contract between the Customer and Xolo, or in case Xolo has other lawful grounds for the continued Processing of Personal Data.
- Right to Restriction - Customer has the right to ask Xolo to restrict the Processing of his Personal Data in case the data is incorrect or incomplete or in case his Personal Data is Processed unlawfully.
- Right to Data Portability - Customer has the right to ask Xolo to provide the Customer or, in case it is technically feasible, a third party, his Personal Data, which the Customer has provided to Xolo and which is Processed in accordance with Customer’s consent or a contract between the Customer and Xolo.
- Right to withdraw Consent for the Processing of Personal Data - Customer is entitled to withdraw the consent granted for the Processing of Personal Data et any time. Withdrawal does not affect the lawfulness of the Processing conducted before the withdrawal.
- Right to File Complaints - Customer has the right to file complaints regarding Processing of his Personal Data.
In order to exercise any rights referred herein the Customer is required to submit a written application to Xolo (Xolo’s contact details can be find under Section 14). Xolo has the right to decline this application by justifying the reasons for the refusal.
According to the article 12(3) of GDPR, Xolo is obligated to respond to the application within 1 month. However, Xolo will make its best efforts to respond to Customer’s request within 1 week.
If a Customer receives commercial emails from us, he may unsubscribe at any time by following the instructions contained within the email or by sending an email to firstname.lastname@example.org
The Customer is able to view and modify settings relating to the nature and frequency of promotional communications that they receive from us by accessing the "Settings" section in the restricted area of the website. The Customer has to be aware that if he opts-out of receiving commercial emails from us or otherwise modify the nature or frequency of promotional communications he receives from us, it may take up to five (5) business days for us to Process the request. Additionally, even after he/she opts-out from receiving commercial messages from us, he/she will continue to receive administrative messages from us regarding the Service.
Right to amend this Policy
Xolo is entitled to unilaterally amend this Policy from time to time. Upon amending the Policy, Xolo will notify the Customer about the terms by e-mail. In case the new terms refer to Processing of Customer’s Personal Data for any new purpose, which requires Customer’s consent, then Xolo will not Process Personal Data for such new purpose, before it has received respective consent.
Should the Customers have any questions regarding this Policy or they want to exercise their rights, they are welcome to contact Xolo with requests, inquiries or any complaints via email: email@example.com clearly indicating (i) your identity, indicating, at least, your full name and the email address you used when registering on the website, and (ii) the right or rights you exercise.
You can also go to the Spanish Data Protection Agency (www.agpd.es) to request the protection of your rights, if you consider it appropriate.
The exercise of these rights is free, unless manifestly unfounded or excessive requests are made, in which case the interested party may be required to assume the cost of the processing.
By accepting this Policy, the Customer confirms that he has familiarized himself with this Policy, understood it and agree to its terms.
Last updated: March 24, 2022