Privacy Policy

Last updated: August 24, 2023

For purposes of this Privacy Policy, the term “Bank” means Paxum Bank Limited, having its registered address at Centre Cross Lane, Roseau, Dominica.

At Paxum Bank, we take the privacy of our Clients very seriously. This privacy policy outlines how we collect, use, and protect your personal information. By using our services and accepting this policy, you consent to us collecting and using your information as described below.


Glossary

In this privacy policy, the following terms shall have the following meanings:

  • "Client," "Client," or "User" means a natural or legal person or another type of entity that registers for the Service or uses the Service as a Client, i.e. you.

  • "Personal data" is any information about an identified or identifiable natural person.

  • "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • "Data controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.

  • "Data processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

  • "GDPR" means the General Data Protection Regulation of the European Union.

  • "CCPA" means the California Consumer Privacy Act of the United States.

  • "Website" means www.paxumbank.com or www.paxum.com.

  • "Sensitive personal data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or a natural person's sex life or sexual orientation.

  • "Consent" means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by an explicit affirmative action, signify agreement to the processing of personal data relating to them.

  • "Data subject" means the individual to whom the personal data relates.

  • "Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

  • "Data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

  • "Privacy Notice" means a statement or document describing how an organization collects, uses, and shares personal data.

  • "Privacy Shield" means the framework for transatlantic exchanges of personal data between the European Union and the United States."

  • Right to be forgotten" means the right of a data subject to have their personal data erased by the data controller.

  • "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict factors concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

  • "Data portability" means the right of a data subject to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format. They have the right to transmit those data to another controller without hindrance.


1. Introduction

This privacy policy sets out how Paxum Bank collects, uses, and protects personal data per the General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

2. Personal Data We Collect

  • 2.1. Categories of Personal Data

    The Bank may collect the following categories of personal data:

    • Identifiers such as name, address, email address, telephone number, date of birth, and government-issued identification numbers;
    • Financial information such as bank account numbers, credit card numbers, and transaction data;
    • Employment information such as job title, employer name, and salary information;
    • Internet and network activity such as browsing history, IP address, and device information; and
    • Other information that identifies or relates to an individual.
    • Sensitive personal data that is required to detect and prevent financial crime and other unlawful activity.

    If you visit the Bank's website ("Site") or the website of its Paxum.com brand for informational purposes only, the Bank will not require you to provide any personal information. You will remain anonymous unless you register for our services or otherwise disclose your identity. However, the Bank may collect and store specific visitor data including, but not limited to, browser type, Internet Protocol ("IP") address, and geo-location information.

    Other data may be collected in such cases as:

    • If an individual registers for an account with the Bank, the Bank will request information which includes the individual's name, email address, physical address, country of residence, contact phone numbers, date of birth, tax identification number, employment information, and the Bank may request bank account details and credit and/or debit card details;
    • If an entity registers for an account with the Bank, the Bank will request information from certain owners, directors and authorized individuals for the entity, which includes those individuals' names, email addresses, physical addresses, contact phone numbers, dates of birth, and government-issued identification numbers;
    • Before a Client utilizes any of the Bank's services and throughout our relationship with a Client, the Bank may require a Client to provide additional information to verify an individual's identity, address or other data to manage risk and compliance. We may also obtain information from third parties providing services such as identity verification, fraud prevention and similar services;
    • If you choose to participate in a Client survey, the Bank may ask for your name, email address and other information required by the particular survey; and
    • If you report a problem or submit a Client review, the Bank will ask you to provide your name, email address, and account number.

  • 2.2. Sources of Personal Data

    The Bank may collect personal data directly from individuals, third-party service providers, and publicly available sources, from the documentation you submit to us or information you submit to us through our website or other means of electronic communication.

3. How We Use Personal Data

  • 3.1. The Bank may use personal data for the following purposes:

    • Evaluating a Client for the Bank services a Client requests;
    • Registering a Client as a client and opening an account;
    • Contacting a Client to verify or reconfirm the accuracy of the information provided;
    • Facilitating payments and transactions as directed by a Client;
    • Confirming the existence and availability of funds;
    • Administering a Client's account;
    • Assisting in the provision of other services or products requested by a Client;
    • Resolving disputes and troubleshooting problems;
    • Preventing potentially fraudulent, prohibited or illegal activities and enforcing our contracts with a Client;
    • Complying with legal processes such as subpoenas and court orders and performing other duties as required by law;
    • Researching the demographics and behaviours of the Bank's Clients; and
    • Reporting to law enforcement authorities if the Bank believes a crime has been committed.

  • 3.2. Profiling and Automated Decision Making

    We may use some instances of your data to customize our Services and the information we provide to you and to address your needs - such as your country of address and transaction history. For example, if you frequently send funds from one particular currency to another, we may use this information to inform you of new product updates or features that may be useful for you. When we do this, we take all necessary measures to ensure that your privacy and security are protected - and we only use pseudonymized data where ever possible. This activity has no legal effect on you.

    We may use Automated Decision Making (ADM) to improve your experience or to help detect and fight financial crime. For example, we may use ADM to verify your identity documents or to confirm the accuracy of the information you provided us to provide you with efficient service. None of our ADM processes have a legal effect on you.

The Bank will only process personal data if it has a lawful basis. The legal bases for processing personal data may include the following:

  • The individual gives consent for one or more specific purposes;
  • Performance of a contract with the individual;
  • Compliance with the Proceeds of Crime Act (2014) and associated regulations;
  • Compliance with other legal obligations; or
  • Legitimate interests pursued by the Bank or a third party.

5. Data Protection Principles

  • 5.1. Lawfulness, Fairness, and Transparency

    The Bank will process personal data lawfully, fairly, and transparently.

  • 5.2. Purpose Limitation

    The Bank will only collect personal data for specified, explicit, and legitimate purposes and will not process personal data in a manner that is incompatible with those purposes.

  • 5.3. Data Minimization

    The Bank will only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

  • 5.4. Accuracy

    The Bank will take reasonable steps to ensure that personal data is accurate and up to date.

  • 5.5. Storage Limitation

    The Bank will only retain personal data for as long as necessary to fulfill the purposes for which it was collected or as required by law. The Bank must keep all account data for seven (7) years following the closure of an account or account application.

  • 5.6. Integrity and Confidentiality

    The Bank will process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

  • 5.7. Individual Rights

    Individuals have the following rights regarding their personal data:

    • The right to access their personal data held by the Bank;
    • The right to request correction or deletion of inaccurate data;
    • The right to object to the processing of their personal data;
    • The right to restrict processing of their personal data;
    • The right to data portability; and
    • The right to withdraw consent at any time.

  • 5.8. Your Rights

GDPR

  • 5.8.1. Under the GDPR, you have the following rights with respect to your personal data:

  • 5.8.1.1. The right to be informed: You have the right to know how your personal data is being processed and why.

  • 5.8.1.2. The right of access: You have the right to access your personal data held by us. You can exercise this right by making a request in writing to us.

  • 5.8.1.3. The right to rectification: You have the right to rectify inaccurate or incomplete personal data we hold on you. You can exercise this right by making a request in writing to us.

  • 5.8.1.4. The right to erasure (right to be forgotten): You have the right to have your personal data erased under certain circumstances. You can exercise this right by making a request in writing to us.

  • 5.8.1.5. The right to restrict processing: You have the right to request the restriction or suppression of your personal data. You can exercise this right by making a request in writing to us.

  • 5.8.1.6. The right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.

  • 5.8.1.7. The right to object: You have the right to object to the processing of your personal data in certain circumstances.

  • 5.8.1.8. The right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw your consent at any time. This will not affect the lawfulness of our processing based on your consent before its withdrawal. You grant us consent to process your personal data by agreeing to this policy.

CCPA

  • 5.8.2. Under the CCPA, you have the following rights with respect to your personal data:

  • 5.8.2.1. The right to know: You have the right to know what personal information we collect, use, disclose, and sell about you.

  • 5.8.2.2. The right to delete: You have the right to request the deletion of your personal information.

  • 5.8.2.3. The right to opt-out: You have the right to opt out of the sale of your personal information. Note that Paxum Bank does not sell your personal information.

  • 5.8.2.4. The right to non-discrimination: You have the right not to be discriminated against for exercising your privacy rights under the CCPA.

  • 5.9. Limitations

    Paxum Bank reserves the right to restrict certain information being sent to you, which is not about you should the Bank consider certain information a trade secret or if it infringes on another person's privacy rights. For example, if you request a list of all Paxum Bank employees who have access to your personal data, we will not be able to accommodate your request due to the privacy rights of those employees.

    Paxum Bank reserves the right to restrict certain information about you being sent to you if the Bank determines that sending such information to you does not fall under the purview of your data rights or if it is unlawful for the Bank to send information about you to you.

6. International Data Transfers

  • 6.1. Transfer Mechanisms

    The Bank may transfer personal data to countries outside Dominica, the EU/EEA, and the United States, where data protection laws may offer a different level of protection than those in the regions mentioned above. In such cases, the Bank will ensure that adequate safeguards are in place to protect personal data, such as:

    • Standard Contractual Clauses (SCCs): the Bank will use SCCs as approved by the European Commission or other relevant supervisory authorities.
    • Binding Corporate Rules (BCRs): where applicable, the Bank may use BCRs to ensure that personal data transferred within the Bank's group of companies are adequately protected.
    • Other Transfer Mechanisms: the Bank may use other transfer mechanisms recognized by applicable data protection laws, such as the EU-U.S. Privacy Shield framework.

  • 6.2. Data Subject Requests

    Data subjects have the right to access their personal data, as well as to request the correction, erasure, or restriction of processing of their personal data. Data subjects also have the right to object to the processing of their personal data, as well as the right to data portability.

    To exercise these rights, data subjects should contact the Bank's Data Protection Officer (DPO) using the contact details provided in section 10.

7. Data Security

  • 7.1. Technical and Organizational Measures

  • 7.1.1. The Bank is committed to ensuring the security and confidentiality of personal data. The Bank will implement appropriate technical and organizational measures to protect personal data from unauthorized access, accidental loss, destruction, or damage.

    Such measures may include:

    • Access controls and authentication mechanisms to restrict access to personal data to authorized personnel only.
    • Encryption of personal data in transit and at rest.
    • Regular backups and disaster recovery plans.
    • Monitoring and logging of access to personal data.
    • Employee training on data protection and information security.

  • 7.2. Third-Party Service Providers

    The Bank may engage third-party service providers to process personal data on its behalf, such as IT service providers, cloud service providers, or payment processors. The Bank will ensure that such third-party service providers offer sufficient guarantees to implement appropriate technical and organizational measures to ensure the security of personal data.

    The Bank will enter into written agreements with such third-party service providers that include provisions requiring them to implement appropriate technical and organizational measures to ensure the security of personal data and to process personal data only in accordance with the Bank's instructions.

  • 7.3. How the Bank Protects your Personal Information

    The Bank has implemented technical and managerial procedures to maintain accurate, current and complete information as well as to protect personal information from loss, misuse or alteration when it is under the Bank's control.

    Personally identifiable information will be stored on the Bank's secure servers or third-party servers in secure data centers. The Bank has ensured that or has confirmed that third parties maintaining the servers have appropriate safeguards such as firewalls and data encryption and that proper physical access controls to the files are enforced. The Bank authorizes access to personal information only for those employees who require it to fulfill their job responsibilities.

    Personal information is also password protected so that access is limited to Clients and those with whom a Client shares their password, the Bank, and third-party access facilitated by the Bank in relation to the performance of the services offered.

    The Bank has also taken steps to protect the integrity of its Clients' personal financial information when they initiate a transaction on the Bank's Site.

    Despite the Bank's reasonable efforts to protect personal information, the Bank cannot guarantee that personal information will not be accessed, disclosed, altered or destroyed.

8. Data Retention

  • 8.1. Because we're a regulated financial institution, Paxum Bank is obliged to store some of your personal and transactional data for up to 7 years following the closure of your account. Only a small number of our employees can see that data, and they'll only look at it if they need to. We always delete information that we no longer need. And everything we need to keep is subject to the highest levels of security.

    Please note: Retention periods could be subject to change, depending on where you live, changes to regulatory requirements, or other legal obligations with which we need to comply.

  • 8.2. Paxum Bank is required to retain all data associated with accounts determined to have been opened for seven years following account closure.

    For the purposes of data retention, Paxum Bank considers an account to be "open" once an application for a Paxum Bank or Paxum.com account has been submitted. An account is not required to be verified and active in order for it to be considered open. Submitting an account application and agreeing to Paxum Bank's Terms and Conditions, including this Privacy Policy, renders the account "open" and subject to data retention.

  • 8.3. In the event of identity theft, the Bank remains obligated to retain personal data submitted to the Bank, regardless of the circumstances of the identity theft.

  • 8.4. Basis of Retention: Even if you exercise your right to request data erasure vis-à-vis your personal data held by Paxum Bank, we may not be able to accommodate your request to other legal obligations of the Bank, including data retention for the purposes of complying with the Proceeds of Crime Act (2014) and its associated regulations and amendments.

    For example, if you wish to exercise your rights under GDPR to request the erasure of your data, you should keep in mind that Paxum Bank is entitled to retain all records related to natural and legal persons who apply for or who obtain a Paxum Bank account under:

    Recital 19 of the GDPR

    Article 6.1c of the GDPR

    Article 6.1e of the GDPR

    Article 17.3 of the GDPR

    We are entitled to retain your personal data, including sensitive personal data, because we are obliged to keep your data on file for a period of 7 years following the closure of your account to meet our legal obligations under the Proceeds of Crime Act (2014) and associated legislation and regulations.

    Paxum Bank also reserves the right to refuse a data erasure request following the data retention period in rare circumstances where it has a legal obligation to retain that data.

9. Contact Information

  • 9.1. Data Protection Officer

    The Bank has appointed a Data Protection Officer (DPO) who is responsible for overseeing the Bank's compliance with data protection laws and for addressing any inquiries or complaints regarding the Bank's processing of personal data.

    The DPO can be contacted at:

    privacy@paxumbank.com, where the request is for Paxum Bank Services.

    privacy@paxum.com, where the request is for Paxum.com Services.

  • 9.2. Other Contact Information

    Data subjects can contact their local Data Protection Commission or local equivalent with questions about their personal data and lodge complaints or submit information requests. Below is a non-exhaustive list of Data Protection Commissions and their contact information: list of countries

    If you would like to know more about your rights as a data subject, regardless of whether it relates to your account with Paxum Bank, a useful list of resources pertaining to data subject rights in various countries can be found here.

10. Changes to this Policy

  • 10.1. The Bank may update this Privacy Policy from time to time. The Bank will notify data subjects of any material changes to this Policy, such as changes to the purposes or categories of personal data collected, or changes to the Bank's contact information. The Bank will obtain the necessary consents from data subjects where required by applicable data protection laws.