Privacy Policy

SECTION A – INTRODUCTION

1. INTRODUCTION

1.1 The information in this document details how we, Finlake (“Finlake”), comply with the Vanuatu Privacy Principles, laws, and regulations in protecting the personal information we hold about you.

1.2 Personal information is any information or opinion about you that is capable, or reasonably capable, of identifying you, whether the information or opinion is true or not and is recorded in material form or not.

1.3 Sensitive information includes such things as your racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record, that is also personal information. Your health, genetic and biometric information and biometric templates are also sensitive information.

1.4 We will act to protect your personal and sensitive information in accordance with the Vanuatu laws and regulations, General Data Protection Regulation (‘the GDPR’) in European Union and the Personal Information Protection Law of the People’s Republic of China (‘the PIPL’). Those legislations share many common requirements. Where an obligation imposed by them are the same, but the terminology is different, we will comply with the terminology and wording used in the Vanuatu Laws and regulations, and this will constitute our compliance with the equivalent obligations under the other legislations. If the GDPR or PIPL imposes an obligation on Finlake that is not imposed by the Vanuatu laws and regulations, or the GDPR or PIPL obligation is more onerous than the equivalent obligation in the Vanuatu laws and regulations, Finlake will comply with the GDPR and/or PIPL.

1.5 We collect personal and/or sensitive information to provide you with the products and services you request as well as information on other products and services offered by or through us. The law requires us to collect personal and/or sensitive information.

1.6 We observe the principles of legality, propriety, necessity, and sincerity when we are collecting and/or handling your personal information. We will not handle your personal information in any way that is misleading, swindling, coercive or other such ways.

1.7 Your personal and/or sensitive information may be used by us to administer our products and services, for prudential and risk management purposes and, unless you tell us otherwise, to provide you with related marketing information. We also use the information we hold to help detect and prevent illegal activity. We cooperate with police and other enforcement bodies as required or allowed by law.

1.8 We disclose relevant personal information to external organisations that help us provide
services. These organisations are bound by confidentiality arrangements. They may include
overseas organisations.

1.9 You can seek access to and/or make a copy of the personal information we hold about you. If the information we hold about you is inaccurate, incomplete, or outdated, please inform us so that we can correct it. If we deny access to your personal information, we will let you know why. For example, we may give an explanation of a commercially sensitive decision, or give you access to the information through a mutually agreed intermediary, rather than direct access to evaluative information connected with it.

1.10 Aggregated data is general data about groups of people which doesn’t identify anyone
personally (e.g., the number of people in a particular industry that engage in forex trading). We may share aggregated data with our business or industry partners. We may use the
aggregated data to help us to:

(a) to understand how you use our products and services and improve your experience with
us; and

(b) customise the way that we communicate with you about our products and services so
that we can interact with you more effectively.

1.11 We keep this Policy under regular review and may update it from time to time to reflects
changes in the law and/or our privacy practices. We encourage you to check the date of this
Policy for any updates or changes when you visit our website or use our services. Any modified versions of this Policy may materially affect the way we use or disclose your personal information.

SECTION B – COLLECTION OF PERSONAL INFORMATION

2. Why we collect information

2.1 We collect personal information when it is reasonably necessary for one or more of our
functions or activities.

2.2 These include:

(a) providing customers with the products and services they request and, unless they tell us
otherwise, to provide information on products and services offered by us and external product and service providers for whom we act as agent (that may be of interest to you). (If you have provided us with your email or mobile phone details, we may provide information to you electronically with respect to those products and services);

(b) complying with our legal obligations;

(c) monitoring and evaluating products and services;

(d) gathering and aggregating information for statistical, prudential, actuarial and research purpose;

(e) assisting customers with queries and any concerns you raise against us and/or to manage any legal action; and

(f) taking measures to detect and prevent frauds, unlawful activity, or misconduct.

3. Information we may collect

3.1 The personal and sensitive information we collect generally consists of name, address, date of birth, gender, marital status, occupation, account details, contact details (including
telephone, facsimile and e-mail), financial information (including details of your nominated
bank account, your employment details, your trading data or trading performance, and/or your taxation information) and additional information you provide to us, directly or indirectly, through your use of our site, associated applications, associated social media platforms and/or accounts from which you permit us to collect information.

3.2 We are required by law to identify you if you are opening a new account or adding a new
signatory to an existing account. Anti-money laundering laws require us to sight and record
details of certain documents to verify your identity (i.e. photographic and non-photographic
documents) in order to meet the standards set under those laws.

3.3 Where it is necessary to do so, we also collect information on individuals such as:

(a) trustees;

(b) partners;

(c) company directors and officers;

(d) officers of co-operatives and associations;

(e) customer’s agents;

(f) beneficial owners of a client; and

(g) persons dealing with us on a “one-off” basis.

3.4 We may take steps to verify the information we collect; for example, a birth certificate provided as identification may be verified with records held by the Registry of Births, Deaths and Marriages to protect against impersonation, or we may verify with an employer that
employment and remuneration information provided in an application for credit is accurate.

4. Inform you before obtaining consent

4.1 We will, before obtaining your consent and collecting personal information, explicitly inform you truthfully, accurately, and fully of the following items using clear and easily understood language:

(a) The name and contact method of the personal information handler;

(b) The purpose of personal information processing and the processing methods, the
categories of processed personal information, the legal basis for the processing and the
storage period;

(c) The recipients or categories of recipients of the personal data, if any;

(d) Where applicable, the fact that person data is to be transferred to a third country or
international organisation, we will ensure that we have adopted the appropriate
safeguards; and

(e) Other information necessary to ensure fair and transparent processing.

5. Consent

5.1 We only collect personal information subject to your consent. The consent must be voluntarily given, and we ensure that we do not force, pressure, induce or manipulate you into providing consent, neither will we elicit consent by asking leading questions.

5.2 When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal information that is not necessary for the performance of that contract.

5.3 We will provide clear, reasonably understandable, and full information to you of the specific purpose of obtaining consent.

5.4 You shall have the right to withdraw your consent at any time. We provide a convenient and easy way for you to withdraw consent. If you rescind consent, it does not affect the
effectiveness of personal information handling activities undertaken on the basis of individual
consent before consent was withdrawn.

5.5 If your consent is given in the context of a written declaration which also concerns other
matters, we will present the request for consent in a manner which is clearly distinguishable
from the other matters, in an intelligible and easily accessible form, using clear and plain
language.

5.6 Where a change occurs in the purpose of personal information handling, the handling method, or the categories of handled personal information, the data subject’s consent shall be obtained again.

6. How we collect the information

6.1 We only collect personal information about you directly from you (rather than someone else) unless it is unreasonable or impracticable to do so or you have instructed us to liaise with someone else.

6.2 Your personal data will be collected in a way that is adequate, relevant, and limited to what is necessary in relation to the purpose for which the personal information is processed.

6.3 We may, within a reasonable scope, handle personal information that has already been
disclosed by yourself or otherwise lawfully disclosed, except where you clearly refuse. We shall obtain your consent if there will be a major influence on your rights and interests.

7. Information collected from someone else

7.1 If it is impracticable or unreasonable for us to collect the personal information directly from you, we may collect such information from agents, or from your family members or friends. If you of collection and the circumstances of collection, if we consider it is reasonable to do so.

7.2 The relevant Anti-Money Laundering and Counter-Terrorism Financing laws and regulations require us to collect certain identification information about you. We will collect personal information from third parties in respect of AML/CTF checks which are required to be carried out, under AML/CTF Legislation.

8. Incomplete or inaccurate information

8.1 We may not be able to provide you with the products or services you are seeking if you provide incomplete or inaccurate information.

9. Sensitive information

9.1 In addition to the above conditions of collecting personal information, we will only collect
sensitive information about you if we obtain prior consent to the collection of the information or if the collection is required or authorised by law, or it is necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.

10. Dealing with unsolicited personal information

10.1 If we receive personal information that is not solicited by us, we will only retain it, if we
determine that it is reasonably necessary for one or more of our functions or activities and that you have consented to the information being collected or given the absence of your consent that it was impracticable or unreasonable for us to obtain it under the circumstances.

10.2 If these conditions are not met, we will destroy or de-identify the information.

10.3 If such unsolicited information is sensitive information, we will obtain your consent to retain it regardless of what the circumstances are.

SECTION C – INTEGRITY OF YOUR PERSONAL INFORMATION

11. Quality of personal information

11.1 We ensure that the personal information we collect and use or disclose is accurate, up to date, complete and relevant.

11.2 Please contact us if any of the details you have provided to us change or if you believe that the information we have about you is not accurate or up to date.

11.3 We may also take steps to update personal information we hold, for example, an address, by collecting personal information from publicly available sources such as telephone directories or electoral rolls.

12. Security of personal information

12.1 We are committed to ensure that we protect any personal information we hold from misuse, interference, loss, unauthorised access, modification, and disclosure.

12.2 For this purpose we have a range of practices and policies in place to provide a robust security environment. We ensure the on-going adequacy of these measures by regularly reviewing them.

12.3 Our security measures include, but are not limited to:

(a) educating our staff as to their obligations with regard to your personal information;

(b) requiring our staff to use passwords when accessing our systems;

(c) employing firewalls, intrusion detection systems, virtual private networks (VPNs), encryption, and virus scanning tools to protect against unauthorised persons and viruses
from entering our systems;

(d) using dedicated secure networks or encryption when we transmit electronic data for
purposes of outsourcing;

(e) providing secure storage for physical records; and

(f) employing physical and electronic means such as alarms, cameras and guards (as
required) to protect against unauthorised access to buildings.

12.4 Where information we hold is identified as no longer needed for any purpose, we ensure it is effectively and securely destroyed, for example, by shredding or pulping in the case of paper records or by degaussing (demagnetism of the medium using alternating electric currents) and other means in the case of electronic records and equipment.

SECTION D – USE OR DISCLOSURE OF PERSONAL INFORMATION

13. Use or Disclosure

13.1 If we hold personal information about you that was collected for a particular purpose (“the primary purpose”), we will not use or disclose the information for another purpose (“the
secondary purpose”) unless:

(a) We have obtained your consent to use or disclose the information; or

(b) you would reasonably expect us to use or disclose the information for the secondary
purpose and the secondary purpose is:

(i) if the information is sensitive – directly related to the primary purpose; or
(ii) if the information is not sensitive – related to the primary purpose;

(c) the use or disclosure of the information is required or authorised by or under a Vanuatu
laws or a court/tribunal order; or

(d) a permitted general situation exists in relation to the use or disclosure of the information
by us; or

(e) a permitted health situation exists in relation to the use or disclosure of the information
by us, in which case we will de-identify the information before disclosing it; or

(f) we reasonably believe that the use or disclosure of the information is reasonably
necessary for one or more enforcement related activities conducted by, or on behalf of,
an enforcement body; or

13.2 Where we use or disclose personal information in accordance with section 13(1)(e) we will keep a copy of this disclosure (e.g.: the email or letter used to do so).

13.3 We will only retain your personal data for as long as we reasonably require it for legal or
business purpose or as otherwise required.

14. Who we may communicate with

14.1 Depending on the product or service you have, the entities we exchange your information with include but are not limited to:

(a) brokers and agents who refer your business to us;

(b) affiliated product and service providers and external product and service providers for
whom we act as agent (so that they may provide you with the product or service you
seek or in which you have expressed an interest);

(c) auditors we appoint to ensure the integrity of our operations;

(d) any person acting on your behalf, including your solicitor, settlement agent, accountant,
executor, administrator, trustee, guardian or attorney;

(e) your referee (to confirm details about you);

(f) if required or authorised to do so, regulatory bodies, law enforcement bodies, courts and
government agencies;

(g) credit reporting agencies;

(h) insurers, including proposed insurers and insurance reference agencies (where we are
considering whether to accept a proposal of insurance from you and, if so, on what
terms);

(i) medical practitioners (to verify or clarify, if necessary, any health information you may
provide);

(j) other financial institutions and organisations at their request if you seek credit from them
(so that they may assess whether to offer you credit);
(k) investors, advisers, trustees and ratings agencies where credit facilities and receivables
are pooled and sold (securitised);

(l) other organisations who in conjunction with us provide products and services (so that
they may provide their products and services to you) including organisations involved in
managing payments such as banks; and

(m) professional associations or organisations with whom we conduct an affinity relationship
(to verify your membership of those associations or organisations).

14.2 Our use or disclosure of personal information may not be limited to the examples above.

15. Outsourcing

15.1 We disclose personal information when we outsource certain functions, including bulk mailing, data storage, card and cheque book production, market research, direct marketing, statement production, debt recovery and information technology support. We also seek expert help from time to time to help us improve our systems, products, and services.

15.2 We use banking agents, for example, local businesses, to help provide you with face-to-face banking services. These agents collect personal information on our behalf.

15.3 In all circumstances where personal information may become known to our contractors, agents and outsourced service providers, there are confidentiality arrangements in place. Contractors, agents and outsourced service providers are not able to use or disclose personal information for any purposes other than our own.

15.4 We take our obligations to protect customer information very seriously we make every effort to deal only with parties who share and demonstrate the same attitude.

16. Joint handler

16.1 Where two or more handlers jointly determine the purposes and means of processing, they shall be joint handlers. When we jointly handling your personal information with others, we will in transparent manner determine our respective responsibilities for compliance with the obligations under the laws by ways of arrangement between us unless the respective responsibilities are determined by the relevant laws.

17. Disclosure required by law

17.1 We may be required to disclose customer information by law e.g. under Court Orders or
Statutory Notices pursuant to taxation or social security laws or under laws relating to
sanctions, anti-money laundering or counter terrorism financing.

SECTION F – CROSS BORDER DISCLOSURE OF PERSONAL INFORMATION

18. Disclosing personal information to cross border recipients

18.1 We will only disclose your personal information to a recipient who is not in Vanuatu and who is not our entity after we ensure that:

(a) the overseas recipient does not breach the Vanuatu privacy laws and regulations; or

(b) you will be able to access to take action to enforce the protection of a law or binding
scheme that has the effect of protecting the information in a way that is at least
substantially similar to the way in which the Vanuatu privacy laws protect the information;
or

(c) you have consented to the disclosure after we expressly informed you that there is no
guarantee that the overseas recipient will not breach the Vanuatu privacy laws and
regulations; or

(d) the disclosure of the information is required or authorised by or under a Vanuatu law or
a court/tribunal order; or

(e) other permitted general situation under the Vanuatu laws and regulations in relation to
the disclosure of the information.

SECTION G – ADOPTION, USE OR DISCLOSURE OF GOVERNMENT IDENTIFIERS

19. Adoption of government related identifiers

19.1 We will not adopt a government related identifier of an individual as our own identifier unless required or authorised to do so by or under a Vanuatu law, regulation, or court/tribunal order.

20. Use or disclosure of government related identifiers

20.1 Before using or disclosing a government related identifier of an individual, we will ensure that such use or disclosure is:

(a) reasonably necessary for us to verify your identity for the purposes of our activities or
functions; or

(b) reasonably necessary for us to fulfil its obligations to a government agency or authority;
or

(c) required or authorised by or under the Vanuatu law, regulation, or a court/tribunal order;
or

(d) within a permitted general situation under the Vanuatu laws and regulations; or

(e) reasonably necessary for one or more enforcement related activities conducted by, or
on behalf of, an enforcement body.

SECTION H – ACCESS TO PESRONAL INFORMATION

21. Access

21.1 You can request us to provide you with access to the personal information we hold about you.

21.2 Requests for access to limited amounts of personal information, such as checking to see what address or telephone number we have recorded, can generally be handled over the telephone.

21.3 If you would like to request access to more substantial amounts of personal information such as details of what is recorded in your account file, we will require you to complete and sign a “Request for Access to Personal Information” form.

21.4 Following receipt of your request, we will provide you with an estimate of the access charge and confirm that you want to proceed.

21.5 We will not charge you for making the request for access, however access charges may apply to cover our costs in locating, collating, and explaining the information you request.

21.6 We will respond to your request as soon as possible and in the manner requested by you. We will endeavour to comply with your request within 14 days of its receipt but, if that deadline cannot be met owing to exceptional circumstances, your request will be dealt with within 30 days. It will help us provide access if you can tell us what you are looking for.

21.7 Your identity will be confirmed before access is provided.

22. Exceptions

22.1 In particular circumstances we are permitted by law to deny your request for access or limit the access we provide. We will let you know why your request is denied or limited if this is the case. For example, we may give an explanation of a commercially sensitive decision rather than direct access to evaluative information connected with it.

23. Refusal to give access and other means of access

23.1 If we refuse to give access to the personal information or to give access in the manner
requested by you, we will give you a written notice setting out the reasons for the refusal, the
mechanisms available to complain and any other relevant matter.

23.2 Additionally, we will endeavour to give access in a way that meets both yours and our needs.

SECTION I – CORRECTION OF PERSONAL INFORMATION

24. Correction

24.1 We will correct all personal information that we believe to be inaccurate, out of date,
incomplete, irrelevant or misleading given the purpose for which that information is held or if
you request us to correct the information.

24.2 If we correct your personal information that we previously disclosed to another entity you can request us to notify the other entity of the correction. Following such a request, we will give that notification unless it is impracticable or unlawful to do so.

25. Refusal to correct information

25.1 If we refuse to correct the personal information as requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.

26. Request to associate a statement

26.1 If we refuse to correct the personal information as requested by you, you can request us to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading. We will then associate the statement in such a way that will make the statement apparent to users of the information.

SECTION J – RIGHT TO ERASE

27. Right to Erase

27.1 You may request us to erase your personal information if you reside in the (European
Economic Area (‘EEA’) and China. We will erase, destroy, or delete your personal information without undue delay where one of the following grounds applies:

(a) the personal information is no longer necessary in relation to the purpose for which it was
collected;

(b) you withdraw consent on which the using of personal information is based and where
there is no other legal ground for the using (i.e., the provision of products or services); or

(c) the personal information has been unlawfully used.

27.2 Section 28.1 shall not apply to the extent that processing personal information is necessary:

(a) for compliance with a legal obligation which requires processing of personal information;
or

(b) for archiving purposes in the historical research or statistical purposes in so far as the
right referred in 28.1 is likely to render impossible or seriously impair the achievement of
the objectives of that processing; or

(c) for the establishment, exercise, or defence of legal claims.

28. You may have other rights

28.1 If you reside in the EEA, you may request us to restrict data processing: You may ask us to limit the processing of your personal information where you believe that the personal
information we hold about you is wrong (to give us enough time to verify if the information
needs to be changed), or where processing data is unlawful and you request us to restrict the processing of personal information rather than it being erased.

28.2 You may also have the right to ask us to explain the rules of processing your personal
information. We will handle your request without undue delay.

28.3 When a natural person is deceased, their next of kin may, for the sake of their own lawful and legitimate interests, exercise the rights that could otherwise be exercised by the deceased, except when the deceased has otherwise arrangement before their death.

SECTION K – COOKIES

29. What is a cookie

29.1 A cookie is a text file with small pieces of data that are used to identify your computer as you use a computer network. If your computer settings allow cookies, then the file is added, and the cookie helps analyse web traffic or lets the site owner know when you visit a particular site.

29.2 Please be aware that our website may contain links or references to third-party websites, and our Privacy Policy does not apply to those websites. We are not responsible for the content or information collection practices of those pages, and we take no responsibility for the privacy practices or security of other websites. We encourage you to view and understand their privacy practices before providing them with any information.

29.3 We may disclose the data we collect through cookies to our related companies.

29.4 For detailed information, please refer to our Cookies Policy.

SECTION L – RESPONSE TO YOUR REQUESTS

30. Action taken on request

30.1 We facilitate the exercise of your right of access. We ensure that we will provide information on action taken on a request to you without undue delay and in any event within one (1) month of receiving the request. The period may be extended by two (2) further months where necessary, taking into account of the complexity and number of requests together with the reasons for the delay.

SECTION M – BREACHES

31. Personal information leakage, distortion, or loss

31.1 We shall take immediate remedial measures when your personal information has been or we have reasonable grounds to suspect that has been leaked, distorted, or lost. We will also report to the supervising authorities when:

(a) There is unauthorised access to or unauthorised disclosure of personal information,
or a loss of personal information that we hold;

(b) It is likely to result in serious harm to one or more individuals; and

(c) We haven’t been able to prevent the likely risk of serious harm with remedial action.