PRIVACY NOTICE

1. TERMS AND DEFINITIONS

1.1. Company (also “we” or “fino.lk”) - S F Group (PRIVATE) LIMITED, registration No. PV00221752, legal address: No 47, Alexandra Place, Colombo 7 (Post Code 00700).

1.2. Data subject (also “you”) – individual, whose personal data is processed by the Company.

1.3. Webpage – Company’s webpage with the domain name – www.fino.lk

1.4. Notice – this Company’s Privacy notice.

1.5. Personal data - any information that can identify a data subject directly or indirectly, by reference to– (a) an identifier such as a name, an identification number, location data or an online identifier; or (b) one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual or natural person.

1.6. Privacy laws – Sri Lanka laws and regulations related to the protection of persona data, privacy, information security and similar matters.

2. PURPOSE OF THE NOTICE AND SCOPE OF APPLICATION

The purpose of this Notice is to inform the Data subject about the processing of Personal data by the Company. The Notice applies in all cases when the Company processes the Personal data of the Data subject (e.g., when the Data subject uses Company’s services, visits the Website, contacts the Company, etc.).

3. INFORMATION ABOUT CONTROLLER

Company is considered to be the controller of Personal data, which means that it determines the purposes of the processing of Personal data (i.e. "why" Personal data are processed) and the means (i.e. "how" Personal data are processed. Contact details of the company: (a) e-mail address: info@fino.lk (b) telephone number: 117750300.

4. PERSONAL DATA SOURCES

If it is legally justified in each individual case, the Company may receive Personal data about the Data subject in two ways:

4.1. directly from the Data subject, mainly when he/she:

1. applies for/uses Company’s services
2. visits the Website;
3. communicates with the Company (e.g., by phone, via the Webpage, e-mail, ordinary mail, social networks and other forms of communication);
4. otherwise provides Personal data to the Company.

4.2. from third sources, which may include the following:

1. Credit bureaus;
2. Private or public anti-fraud, anti-money laundering and counter-terrorism/proliferation financing data bases;
3. Private or public indebtedness databases;
4. State information systems/state institutions (e.g., tax authority, resident register, etc.);
5. Credit institution (bank) which is used by the Data subject;
6. Remote identification tool (if available on the Webpage);
7. Cookies and similar technologies.

5. WHICH PERSONAL DATA WE WILL PROCESS?

Company mainly processes the following data categories:

1. Basic data (e.g., name, surname, identification number, date of birth, age, gender);
2. Information about identification document (including its copy);
3. Contact details and contact persons (e.g., phone number, e-mail address, residence address, communication/native language, information about contact persons);
4. Information on economic situation (e.g., income, expenditure, liabilities, debts, purpose of the loan, etc.);
5. Information about employment (e.g. type of employment/occupation, working industry, employer, length of service, etc.);
6. Banking details (bank name, account number, etc.);
7. Data associated with the device (e.g. device identifier, device model, operating system version, etc.);
8. Communication data (by telephone (NB! All telephone conversations with the Company are recorded) or in writing);
9. Other Personal data provided by the data subject to the Company or obtained by the Company.

6. FOR WHICH PURPOSES WE WILL PROCESS PERSONAL DATA?

6.1. The Company will process Personal data primarily for the following purposes:

1. To provide services;
2. To enter and execute the loan agreement with the Data subject;
3. To create, maintain and administer user account on the Webpage;
4. Communication with the Data subject in connection with the services and/or loan agreement (transactional communication);
5. To assess creditworthiness of the Data subject;
6. To manage credit and other risks;
7. To prevent fraud, money laundering and terrorism or proliferation financing;
8. Prevention of misuse of Company’s services;
9. Raising and pursuing legal claims;
10. Debt collection (via court or out-of-court procedure);
11. Assignment of claims to other creditors;
12. Replying to the Data subject's application, complaint, request or question;
13. Conducting opinion surveys; Customer satisfaction assessment;
14. Exercise and protection of Company’s rights and interests;
15. Ensuring security (including information/cyber security), protection of property, detecting and preventing legal offences;
16. Improvement of the Company's Website and processes related to provision of services;
17. Preservation of proof;
18. Direct marketing purposes, such as: (1) sending commercial communications (e.g., depending on the Data subject's choice, sending up-to-date information about services, special offers, etc. to the data subject's e-mail and/or phone number, making calls, communicating with the Data subject through social networks as well as other communication channels); (2) organization of customer loyalty events (including organization of lotteries); (3) the use of targeting strategies, cookies and similar technologies; (4) evaluation and research of customer groups; (5) reaching potential customers and/or offering services through other information/communication channels (including, but not limited to, social networks, mail, internet, search sites, blogs, comparison sites and other channels);
19. Creation of a user database and other administrative purposes;
20. Fulfilment of obligations laid down in regulatory enactments;
21. Responding to requests from competent national authorities;
22. Research, analytics and statistics;
23. To troubleshoot service problems and disruptions.

6.2. The Company is entitled to process Personal data also for purposes other than those referred to in the previous paragraph, if there is a relevant legal basis.

7. BASED ON WHICH LEGAL BASES PERSONAL DATA WILL BE PROCESSED?

7.1. The legal basis on which we process your Personal data depends on the type of Personal data processed and for what purposes processing takes place.

7.2. We mainly process Personal data based on the following legal grounds: (a) your consent (where necessary, e.g. when sending you commercial communications); (b) conclusion of the loan agreement; (c) compliance with our legal obligation (e.g. ensuring the security of processing); (d) the processing is necessary for the protection of the vital interests of the person; (e) the processing is necessary for our legitimate interests or those of a third party (e.g. bringing and maintaining a legal claim, ensuring security, preventing misuse of Company’s services, internal administrative purposes, etc.).

7.3. If you provide us with Personal data of other persons, you must ensure that you are authorized to do so. If you have provided such Personal data we have the right to assume that you have received the respective authorization.

8. CATEGORIES OF RECIPIENTS AND PERSONAL DATA TRANSFER OUTSIDE SRI LANKA

8.1. Where legally justified in each individual case, Personal data may be transferred to the following categories of recipients:

1. Employees and officials of the Company;
2. Company service providers (processors and other controllers), e.g., information storage service provider, information and communication technology (ICT) service provider, etc.;
3. State institutions (e.g., Tax authorities, Personal data protection authorities, State Police, court, etc.);
4. Other recipients entitled to receive Personal data (e.g., credit bureaus, persons indicated by the Data subject, etc.).

8.2. We mainly process Personal data in the territory of Sri Lanka. However, while conducting our processing activities (e.g., when the Company uses a particular service), Personal data may be transferred to a recipient outside Sri Lanka. In this case, the Company ensures that the Privacy law requirements for the transfer of Personal data outside Sri Lanka are complied with. More detailed information on the transfer of Personal data is available by contacting the Company using the contact information provided in this document.

9. TERM OF STORAGE OF PERSONAL DATA

We will store Personal data in accordance with our data retention policy. The retention period depends mainly on the category of Personal data concerned and the purpose of the processing. For certain categories of Personal data, retention periods are laid down in the applicable laws (e.g. in the field of taxation, consumer protection, anti-money laundering, etc.). In other cases, when the retention period is not specified in the applicable laws, the Company determines the retention period itself, taking into account the principles of Personal data processing laid down in the Privacy laws. For example, a longer retention period may be set if Personal data is necessary for the purposes of the legitimate interests, e.g. by helping us respond to customer complaints, preventing legal offences, responding to requests from public authorities, etc. At the end of the retention period, Personal data will be deleted or permanently anonymised.

10. DATA SUBJECT RIGHTS

10.1. The Privacy laws grant Data subjects a number of rights in relation to their Personal data, namely:

1. Right of access to Personal data;
2. Right to be informed about processing of Personal data;
3. Right to rectify or complete Personal data;
4. Right to delete Personal data;
5. Right to request the controller to refrain from further processing;
6. Right to withdraw consent at any time if it is used as a legal basis for processing (NB! Withdrawal of consent does not affect the lawfulness of processing based on prior consent).

10.2. You should note that the above rights are not absolute. In particular, Privacy laws stipulate for preconditions to exercising the said rights as well as provide for limitations and exceptions to those rights.

10.3. In order to exercise the above-mentioned rights, the Data subject must contact the Company by sending a physically signed application to the Company’s legal address indicated herein.

10.4. If the Company has reasonable doubts about the identity of the natural person who submits a request for the exercise of the above-mentioned rights, the Company may request the Data subject to provide additional information for the confirmation of his/her identity.

11. DISPUTE RESOLUTION AND SUBMISSION OF CLAIMS

The Company hopes to resolve any dispute in a friendly manner and expects the Data subject to initially address the Company if he/she considers that the processing does not comply with the Privacy laws. However, the Data subject is entitled to submit a complaint to the Data Protection Authority of Sri Lanka if he/she considers that the processing carried out by the Company is in contradiction with the Privacy laws.

12. OBLIGATION TO PROVIDE PERSONAL DATA

Whether the Data subject has the right or obligation to provide personal data depends primarily on the purpose of the processing. For example, you are free to choose whether you wish to use Company's services or Website. In case you do, provision of Personal data will be mandatory in order to use the services offered through the Website, otherwise the Company will not be able to provide these services and enter into respective loan agreement. Signing up for newsletters from the Company is always voluntary and based on your consent, which you can always change or withdraw by contacting the Company via phone number provided herein.

13. AUTOMATED DECISION MAKING AND PROFILING

13.1. Before taking a decision whether to provide services to the Data subject and enter into a loan agreement, the Company must initially identify the Data subject, make sure that he/she does not try to commit fraudulent activities and is not involved in money laundering and/or terrorism/proliferation financing, as well as assess the Data subject's ability to repay the loan. In order to perform all of the above activities as quickly, efficiently and non-discriminatorily as possible, the Company uses its information and communication (ICT) solution, which allows it un automated manner to:

1. receive most of the necessary information about the Data subject;
2. analyze aspects related to the Data subject on the basis of the information received, including profiling (e.g., to assess the ability of the Data subject to repay the loan and determine the creditworthiness assessment, to assess the reliability of the Data subject, etc.);
3. take a decision on the provision or non-provision of the service as well as terms of provision of services (e.g., amount of loan, etc.).

13.2. The process described in the previous Clause allows the Company to make decisions in accordance with the principle of fair and responsible lending. To assess creditworthiness of the Data subject, mainly his/her economic situation is considered (e.g., the amount of income and expenses per month, amount of existing liabilities, credit history, etc.). The Company does not rely on discriminatory criteria such as gender, national or social origin of the Data subject, etc. In addition, the process described under this Section allows for the timely detection and prevention of fraud, money laundering, financing of terrorism and proliferation.

13.3. ICT solution referred to in this Section is regularly tested and, if necessary, improved to ensure the fairness, accuracy and objectivity of automated decision-making and/or profiling process.

13.4. In addition to the above, automated decision-making and/or profiling may take place in cases where Personal data are processed for direct marketing purposes (e.g., by analyzing aspects related to the trends, preferences and interests of service use by the Data subject; by carrying out targeting activities; addressing Data subject through social networks or other communication channels, etc.). As a result, the Company may improve the experience of provided services, e.g. by adapting the display of the services on the used device, preparing special offers to the Data subject, etc.

14. PASSWORD AND ACCESS TO USER ACCOUNT

14.1. When creating a user account on the Website, the Data subject is obliged to create a secure password. The Data subject is not entitled to disclose this password to any third party. The Data subject is obliged to change the password if he/she suspects that it became known to a third party.

14.2. The abovementioned user account may only be used by the Data subject him/herself for his or her own needs.

15. COOKIES

The Company may use cookies or similar technologies (hereinafter – cookies) on the Website. A cookie is a small file that usually consists of letters and numbers and is downloaded to a person's device/browser when that person accesses the Website. The cookie is sent back to the Company's Website on each subsequent visit, allowing you to recognize the device. Cookies do not harm the device and cannot contain viruses. You may adjust and change your cookie preferences as well as delete cookies at any time in your browser.

16. AMENDMENTS

The Company is entitled to unilaterally make changes to this Notice. The changes take effect on the day when the updated Notice is published on the Website. In case of significant changes, the Data subject will be informed about them using the contact information available to the Company.

17. CONSENT AND AUTHORIZATION

By continuing the application process, you confirm that you have read, understood, and agree to the provisions of this Notice. In particular, you:

17.1. accept the provisions of this Notice and agree to be bound by them;

17.2. acknowledge and consent that your personal data will be processed as described herein;

17.3. authorize the Company to perform processing activities as described herein (in particular, you authorize the Company to verify personal data (e.g., name, surname, home and work geolocation, as well as other data) with any third party the Company deems necessary. You also explicitly authorize the Company to expose your personal data to any third party for carrying out analytics to understand how you use Company’s or any third party’s services).