The privacy of customers personal data is important to Xolo. This Policy describes the rules according to which Xolo processes the personal data of any person using the Xolo’s website www.xolo.io, mobile apps and any services offered by Xolo.
General DefinitionsXoloService provider who needs to process customer’s personal data for the provision of service. Depending of the service the service providers are the following:
- Xolo Go OÜ (registry code 14717109, address Kalasadama 4, Tallinn, Estonia) who provides Go Service
- Xolo OÜ (registry code 12844111, address Kalasadama 4, Tallinn, Estonia) who provides Leap Service
- Affiliate of the forenamed service provider whose company information is provided in the respective service agreement
Personal Data processed by Xolo is described under Section 3ProcessingAny operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destructionControllerA person who alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Depending of the service the Controller of the Customer’s Personal Data is:
ProcessorA person who Processes Personal Data on behalf of the Controller
- Xolo Go OÜ or its affiliate if Customer requested Go Service
- Xolo OÜ or its affiliate if Customer requested Leap Service
In the course of provision of Service, Xolo may act as Processor by Processing Personal Data on behalf of its Customer or Customer’s legal entity. However, this Policy shall not regulate the Xolo’s actions as ProcessorServiceAny services provided by Xolo via website www.xolo.io and Xolo mobile appsGo ServiceEnables Customer who is a freelancer to provide professional services to his business customers via virtual company. Go Service includes the provision of standard agreements to Customer for its business activities and business accountLeap ServiceEnables Customer to start up and remotely run a company. Leap Service includes various services which the Customer is able to use in the course of running the Company which is initially established for the Customer by Xolo
This Policy applies to Personal Data Processing where Xolo acts as a Controller. Any personal data Processing conducted on behalf of the Customer or his legal entity is subject to an additional data processing agreement signed between Xolo and the legal person controlled by the Customer.
Personal Data being collected
Xolo Processes the following Personal Data about the Customer:
- Personal Details – full name (surname and given name), gender, personal identification code, date of birth, nationality, contact postal address, e-mail address, mobile phone number, bank where the personal bank account exists;
- Identification Data – data retrieved from the copy of a passport, such as document number, issue date, expiry date and issuing entity, photo, URL of a Portfolio or LinkedIn profile;
- Verification Data – data which Xolo collects for the purpose of conducting Customer due diligence under applicable anti-money laundering laws. For Go Service, Xolo collects data concerning whether the Customer is politically exposed and whether the Customer is subject to any international financial sanctions. The foregoing is collected and Processed by Xolo in the course of provision of Leap Service, if the Customer wishes to use third party banking services;
- Background Data – data Xolo collects and Processes for the purpose of conducting Customer adverse media checks via open sources;
- Profile Data – Customer’s Google profile data, such as name, e-mail address, language preference and profile picture;
- Payment Data – data concerning payments for Xolo’s Service and state fees, such as account number (IBAN), account holder name, bank name, transaction details, If the Customer chooses to pay for the Service by credit card or by PayPal, his/her payment details are not stored by Xolo and therefore cannot be accessed by Xolo.
- Business related Data – in the course of providing Go Service Xolo collects and Process data concerning the field of activity the Customer wishes to act via virtual company, in the course of providing Leap Service Xolo collects and Process the business description, incl. planned services and service volumes of the company being established by Leap Service;
- Device Data – information regarding the device on which the Customer is using the Xolo’s website/app, including the device’s model, name or any other identifier and the IP address;
- Preference Data – Customer’s preferences in the Xolo’s website/app;
- Customer Support Data – communication between Xolo and the Customer (inquiries submitted via the website, email, social media or chat);
- Usage Data – data about Customer’s interaction in Xolo’s website/app.
Sources of Personal Data collection
Majority of Customer’s Personal Data Processed by Xolo is collected directly from the Customer. However, Xolo may collect Customer’s Personal Data also from third party sources, such as databases of financial sanctions and people subject to international financial sanctions and databases of politically exposed people. Some of these databases are publicly available and some of them are not.
Purposes for collecting and Processing Customer's Personal Data
Personal Data collected by Xolo is Processed for the purposes established in the law or as described herein, including but limited for the following purposes:
- Contractual Purpose – Xolo needs to Process Customer’s Personal Data in order to enter into service agreement with the Customer and to provide Service to Customer;
- Compliance Purpose – Xolo needs to Process Customer’s Personal Data in order to perform obligations under applicable laws, such as to comply with anti-money laundering requirements, and combat fraud, ensure the fulfilment of international financial sanctions, comply with the lawful inquiries and orders of public authorities with whom Xolo is obligated to cooperate;
- Analytical Purpose – Xolo needs to Process Customer’s Personal Data in order to manage, analyse and improve the Service, website and app;
- Marketing Purpose – Xolo needs to Process Customer’s Personal Data in order to send relevant promotional information to the Customer about Xolo services and the related offerings by third parties we work with, if the Customer has granted an explicit consent to use his/her Personal Data for this purpose;
- Personalization Purpose – Xolo needs to Process Customer’s Personal Data in order to personalize the Service and the content provided to the Customer;
- Communication Purpose – to contact the Customer for administrative purposes such as customer service, address technical or legal issues related to the Service provided, or share updates and notifications about the Service;
Xolo shall not use Customer's Personal Data for any other purpose incompatible with the purposes outlined above or required, permitted or authorized by law.
Customer is not subject to statutory obligation which obligates Customer to provide Personal Data described herein to Xolo. The collection of certain Personal Data referred herein may be required under the law and/or inevitably necessary for the provision of service to the Customers (such as data necessary for the verification of the Customer). Failure to provide data may result in adverse consequences, such as, Xolo’s inability to comply with our obligations under law. The Customer is welcome to ask for clarifications regarding the obligation to submit any specific Personal Data and also about possible consequences arising from the failure to provide the Personal Data.
Automated decision making
Xolo is providing Xolo Leap Service as well as Xolo Go Service for the Customers active in the certain field of activities. Not all fields of activities are supported by Xolo’s services. Xolo is using automated decision making in the pre-contractual Processing in order to establish sufficiently whether the Customer is eligible to use Xolo’s services.
Automated decision making refers to a decision which is taken solely on the basis of automated Processing of Customer’s Personal Data. This means Processing using, for example, software code or an algorithm, which does not require human intervention.
During onboarding process, the Customer is being asked for the field of activity of the service provided in course of using Xolo’s services. The automated decision making is necessary for entering into agreement with Xolo. The automated decision making is used in order to accept or reject the Customer’s application to enter into a service agreement with Xolo. In case the field of activity which the Customer wishes to act is not supported by Xolo’s services, then the Customer’s application will be rejected. Upon rejection, Xolo will inform the Customer by e-mail about the reasoning for rejection.
The Customer is entitled to request human intervention or object to the decision by contacting Xolo.
Legal grounds for Processing
Xolo is relying on the following legal grounds when Processing Customer’s Personal Data:
- Processing is necessary for the performance or entry into a contract between Customer and Xolo (GDPR article 6 (1) (b)), Xolo is Processing Personal Data for Contractual Purpose under contract entered into between Xolo and Customer;
- Processing is necessary for compliance with a legal obligation to which Xolo is subject (GDPR article 6 (1) (c)). Xolo is Processing Personal Data for Compliance Purpose under legal obligations to which Xolo is subject to;
- Processing is necessary for the purposes of the legitimate interests pursued by Xolo (GDPR article 6 (1) (f)). Xolo is Processing Personal Data for Analytical or Personalization Purpose under legitimate interest;
- Customer has granted a consent to the Processing of his Personal Data (GDPR article 6 (1) (a)). Xolo is Processing Personal Data for Marketing Purpose under Customer’s consent.
Transfer of the Personal Data
Xolo may transfer Customer's Personal Data to third parties, such as:
- legal and regulatory authorities (e.g. commercial register) whom Xolo is obligated to disclose Customer’s Personal Data under the law;
- server hosts who host Xolo’s servers;
- identification service providers who help Xolo verify Customer’s identity and acquire Verification Data;
- communication service providers who facilitate e-mails, calls, SMS messages and other communication between Xolo and the Customer;
- customer support and customer management service providers;
- marketing service provider;
- Xolo’s partner bank who providing banking services to the Customer or to the legal entity controlled by the Customer or any other financial service provider;
- Xolo’s affiliate. i.e. any company that directly or indirectly controls Xolo; any company that is directly or indirectly controlled by Xolo; or any company that is controlled, directly or indirectly, by the ultimate parent company of Xolo. Control shall mean owning more than fifty percent of the voting rights in a company or otherwise having the power to govern the financial and the operating policies or to appoint the management of a company;
- other parties involved with the provision of Xolo’s Service (accountants, auditors, lawyers, IT systems suppliers and support, or any other outsourcing providers).
Xolo has taken steps to ensure that these data recipients protect the confidentiality and security of Personal Data, and to ensure that Personal Data is Processed only for the provision of Service and in compliance with applicable law.
Such third parties may be located in countries outside of the European Economic Area ("EEA") whose privacy regulations may differ and which are not subject to adequacy decisions of the European Commission. In those countries the security of the Personal Data (inc. protection against misuse, unauthorized access, disclosure, alteration or destruction) may not be ensured as it is secured in the European Union, due to the lack of adequate data protection level.
For example, Xolo may transfer Customer's Personal Data to the US, in which case Xolo shall ensure that the recipient of the Personal Data is certified in accordance to the EU-US Privacy Shield entered by and between the US Department of Commerce and the European Commission. To learn more about the Privacy Shield program, please visit
When transferring collected Personal Data outside of the EEA, Xolo shall ensure the application of the appropriate safeguards. If the Customer wishes to receive a copy, please contact us as instructed below.
Xolo will take appropriate legal, organisational, and technical measures to protect Personal Data consistent with applicable privacy and data security laws. Security measures shall be applied in order to protect Personal Data from involuntary or unauthorized Processing, disclosure or destruction.
Upon transferring Personal Data to third parties, Xolo will apply the following safeguards:
- Xolo enters into a data processing agreement with the relevant third party;
- Xolo makes sure that such third party undertakes to implement appropriate technical and organizational measures ensuring the Processing of Customer’s Personal Data in accordance with this Policy and applicable law;
- Xolo makes sure that (a) the third party is established in a jurisdiction which the European Commission has recognized as ensuring an adequate level of personal data protection, or (b) the Processing of Customer’s Personal Data is subject to other appropriate safeguards stipulated in the GDPR.
Integrity and retention of the Personal Data
Xolo will retain Personal Data for the period required or permitted by applicable law, but no longer than it is reasonably necessary in order to achieve the purposes for which the Personal Data was collected.
Xolo takes reasonable steps to ensure that the Personal Data we Process is reliable for its intended use, accurate, and complete as necessary to carry out the purposes described herein.
Customer's rights in regarding to the collection of Personal Data
Customer has the following rights in relation to the Processing of his Personal Data:
- Request information - Xolo has provided all information which the Customer has right to receive in this Policy. The valid version of the Policy is available in Xolo’s website at any time.
- Right to access - Customer has the right to ask Xolo to provide a copy of Customer’s Personal Data which Xolo Process.
- Right to Rectification - Customer has the right to ask Xolo to rectify Personal Data in case the data is incorrect or incomplete.
- Right to Erasure - Customer has the right to ask Xolo to erase Personal Data, unless Xolo is obliged to continue Processing Customer’s Personal Data under law or under a contract between the Customer and Xolo, or in case Xolo has other lawful grounds for the continued Processing of Personal Data.
- Right to Restriction - Customer has the right to ask Xolo to restrict the Processing of his Personal Data in case the data is incorrect or incomplete or in case his Personal Data is Processed unlawfully.
- Right to Data Portability - Customer has the right to ask Xolo to provide the Customer or, in case it is technically feasible, a third party, his Personal Data, which the Customer has provided to Xolo and which is Processed in accordance with Customer’s consent or a contract between the Customer and Xolo.
- Right to Object - Customer has the right to object to Processing his Personal Data in case there is a reason to believe that Xolo has no lawful grounds for Processing the Personal Data.
- Right to withdraw Consent for the Processing of Personal Data - Customer is entitled to withdraw the consent granted for the Processing of Personal Data et any time. Withdrawal does not affect the lawfulness of the Processing conducted before the withdrawal.
- Right to File Complaints - Customer has the right to file complaints regarding Processing of his Personal Data.
In order to exercise any rights referred herein the Customer is required to submit a written application to Xolo (Xolo’s contact details can be find under Section 16). Xolo has the right to decline this application by justifying the reasons for the refusal.
According to the article 12(3) of GDPR, Xolo is obligated to respond to the application within 1 month. However, Xolo will make its best efforts to respond to Customer’s request within 1 week.
Cookies and tracking technologies
Xolo is using automatically collected information and other information collected within its website through cookies and similar technologies.
Cookies are small text files that a website or its service provider transfers to the Customer's computer hard drive through his website browser (if Customer allows) that enables the website's or service provider's systems to recognize Customer's browser and capture and remember certain information. For example, cookies may help a website remember certain preferences the Customer has selected on the website, such as language preferences.
- Within the website Xolo is using the following types of cookies:
- first-party cookies, which are stored to the Customer’s device by Xolo. These cookies allow website owners to collect analytics data, remember language settings, and perform other useful functions that provide a good user experience;
- third-party cookies, which are stored to the Customer’s device by other service providers on Xolo’s website. Xolo may use third-party analytics tools (such as Google Analytics), to help us measure traffic and usage trends for the Xolo’s Service. Web analytic service providers analyse the usage of the Xolo website and services so that Xolo could improve and amend our website/app and function thereof.
- Cookies are being used to serve the following purposes:
- to store authentication information and protect Personal Data from third parties;
- to personalize our Service, help remember Customer's choices within the website, understand and save Customer's preferences for future visits;
- to provide customized advertisements, content and information;
- to track Customer's entries, submissions, and status in any promotional or other activities on the Service;
- to monitor and analyse the effectiveness of the Service;
- to compile aggregate data about site traffic and site interactions in order to offer better site experiences and tools in the future.
The Customer can delete or block cookies through his browser settings at any time. However, some cookies might be necessary for the functionality of the Xolo Services and usage of the website. Therefore, the Customer understands that when blocking or deleting the cookies some features within the website might not function correctly. For more general information about cookies please see
- Within the website Xolo is using the following types of cookies:
Google Analytics and ads
Xolo have implemented the following Google Analytics features:
- Google Display Network Impression Reporting;
- Demographics and Interests Reporting.
Xolo along with third-party vendors, such as Google, use first-party cookies (such as the Google Analytics cookies) and third-party cookies or other third-party identifiers together to compile data regarding Customer interactions with ad impressions, and other ad service functions as they relate to our website.
Customers can set preferences for how Google advertises to them using the Google Ad Settings page. Alternatively, the Customer can opt out by visiting the Network Advertising initiative opt out page or permanently using the Google Analytics Opt Out Browser add on.
Xolo is using Google Analytics to measure and evaluate access to and traffic on the public area of our website and create user navigation reports for our website administrators.
Xolo takes measures to protect the technical information collected by the use of Google Analytics. The data collected will only be used on a need to know basis to resolve technical issues, administer the website and identify visitor preferences.
If a Customer receives commercial emails from us, he may unsubscribe at any time by following the instructions contained within the email or by sending an email to email@example.com
The Customer is able to view and modify settings relating to the nature and frequency of promotional communications that they receive from us by accessing the "Settings" section in the restricted area of the website.
The Customer has to be aware that if he opts-out of receiving commercial emails from us or otherwise modify the nature or frequency of promotional communications he receives from us, it may take up to five (5) business days for us to Process the request. Additionally, even after he/she opts-out from receiving commercial messages from us, he/she will continue to receive administrative messages from us regarding the Service.
Right to amend this Policy
Xolo is entitled to unilaterally amend this Policy from time to time. Upon amending the Policy, Xolo will notify the Customer about the terms by e-mail. In case the new terms refer to Processing of Customer’s Personal Data for any new purpose, which requires Customer’s consent, then Xolo will not Process Personal Data for such new purpose, before it has received respective consent.
Should the Customers have any questions regarding this Policy or Processing of Personal Data, they are welcome to contact Xolo with requests, inquiries or any complaints via email: firstname.lastname@example.org
By accepting this Policy, the Customer confirms that he has familiarized himself with this Policy, understood it and agree to its terms.
Last updated: June 15, 2020