Privacy Policy

This privacy policy regulates the relationship between "CASHLEND BG" OOD, as the controller of personal data, and the natural persons, subjects of personal data, who are users of the Cashlend Platform (Cashlend for short), accessible through a website with the Cashlend.bg domain.

The privacy policy of CASHLAND BG OOD is based on the General Data Protection Regulation (EU) 2016/679 (GDPR). The information in it is intended to ensure transparency for users of the Cashlend Platform and to provide timely information about the processing of personal data, including the rules, purposes, grounds for processing, exchanges with third parties and information about the rights that each natural person can exercised in relation to personal data.

Cashlend services can be used after registering a user profile. The user's personal information is required for registration. The data provided will be collected, processed and stored as described in this policy and the provisions of national and European legislation.

Each user, before starting the registration process on the Cashlend Platform, should carefully read the General Terms and Conditions and this Privacy Policy.

Concepts used

"Personal Data" means any information relating to an identified natural person or an identifiable natural person ("data subject").

"Processing" means any operation or set of operations performed on personal data or a set of personal data by automatic or other means such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, distribution or other way in which the data is made available, arranged or combined, restricted, deleted or destroyed;

"Administrator of personal data" is any person or legal person who alone or jointly with others determines the purposes and means of this processing of personal data.

"Joint administrators" are two or more administrators who jointly determine the purposes and means of processing.

Data for the Administrator

"CASHLAND BG" Ltd. is the administrator of personal data.

• Entry in public registers:
  • EIK 203868888 in TRRYULNC at the Registration Agency
• Headquarters and address of management: town of Yambol 8600, g.k. Zl. rog, №28, entrance B, floor 4, apartment 149
• Correspondence details:
  • Phone: +359 888 52 55 49
  • E-mail: info@cashlend.bg
  • Contact person: Venelin Todorov – Manager

Joint administrators

Joint administrators, together with "CASHLAND BG" OOD, are:

1. ”CREDEX” LTD.
   • Entry in public records
     • EIK 205849529 in the TRRYULNC at the Registration Agency
   • Headquarters and address of management:
     • Sofia, 1164, g.k. Lozenets, "Metropolitan Kiril Vidinski" street №2, apartment 3
   • Correspondence details:
     • Phone: 0700 50 013
     • E-mail: info@credex.eu
     • Contact person - Ivaylo Mitev

The joint administrators, by mutual agreement, have distributed in a transparent manner the relevant roles and responsibilities for fulfilling the obligations to comply with Regulation (EU) 2016/679 of 27.04.2016.

For organizational, technical and security reasons, "CASHLAND BG" Ltd. directly collects and processes personal data according to the applicable General Terms and Conditions for the Cashlend Platform.

"CASHLAND BG" Ltd., performs the function of a point of contact with the supervisory authority, data subjects and third parties in connection with the processing and protection of personal data in the Cashlend Platform. "CASHLAND" Ltd. informs data subjects and organizes the exercise of their rights, including provision of requested information and access to personal data, correction and deletion, restriction of processing, confirmations and notifications, objections and complaints.

Regardless of the terms of agreement between the joint controllers, data subjects may exercise their rights under Regulation (EU) 2016/679 of 27.04.2016 against each of the joint controllers.

This Privacy Policy is prepared and published by the Administrator "CASHLAND BG" OOD (hereinafter referred to as the Administrator) and is applicable to the other Joint Administrators.

Purposes and basis of processing

The Cashlend platform collects and processes personal data to achieve the following goals, in the description of which the grounds for their processing are indicated:

1. Identification of users, natural persons, identity verification, account registration and management, authentication;
2. Conclusion of a contract under the General Terms and Conditions for the provision of services, as well as when taking the steps to conclude it at the user's request;
3. Conclusion of agreements for the transfer of receivables, as well as when taking the steps to conclude them at the user's request;
4. Administration and accurate execution of concluded contracts, agreements and other legal relationships;
5. Managing business operations (including ensuring security and reliability);
6. Ensuring accountability for payments, for accounting and tax purposes;
7. Fulfillment of specific legal obligations applicable to the Administrator/Co-Administrators, including for the purposes of monitoring and preventing fraud, money laundering, tax evasion;
8. Establishing a relationship and facilitating communication with users, including informing about changes to General Terms and Conditions, policies and services;
9. Handling complaints, resolving disputes and other legal claims;
10. Statistical surveys and analyzes of results without being used for decisions or actions concerning a specific person;
11. Protection of the legitimate interests of the Administrator, when this is proportionate to the rights and interests of the subjects of personal data.

If it is necessary to achieve an additional or different purpose, the Administrator will require the express, specific, free and informed consent of the Cashlend user by providing information about the purposes and method of this processing. When the processing is based solely on the consent of the user, in order to ensure his free choice, the Administrator will provide the possibility for the consent for the processing for the various purposes to be given and withdrawn independently.

Types of personal data

The administrator collects and processes personal data of individuals who have applied for user profile registration. Depending on the functionalities of the Cashlend Platform and the services requested by the user, these may be the following types of data:

• Names, uniform civil number/date of birth, permanent address and other data from an identity document regarding number, date, place and issuing authority, image (photo) in electronic form;
• Current address, e-mail address, telephone;
• Username and Cashlend generated unique identifiers, IP address;
• Bank account information, cash transactions and payments for services through Cashlend, sources of funds, employment and insurance details;
• Any other necessary information, including financial, that the user voluntarily provides during registration or at a later stage when identifying and using the services of the Cashlend Platform.

The registration of a user profile can only be allowed after the identification of the user, and for this purpose and in the case of necessity, the Administrator can carry out a complex check, which includes providing a copy of an identity document, conducting an interview by phone or via video- conversation, verification of the reliability of the data provided by the user by comparing them with the personal data obtained from the information arrays of other administrators or a requirement. Data from the video call is not recorded or stored. Sensitive or other special categories of personal data are not purposefully included in the processing. Before starting a video chat, the user is given the opportunity to agree or object to the processing of his data through a video chat, stating specific reasons. If you object to such processing, data in this context cannot be collected. In these cases, the objection does not lead to an automatic denial of access to the services of the Cashlend Platform.

The given possibility to preserve the autonomy of individuals does not cancel the right of the Administrator to refuse registration, conclusion of a contract or an agreement for the transfer of a claim, if, according to the specifics of the case, the identity of the user cannot be unambiguously established or after combining the collected volume of data from from various sources, reasonable doubt has arisen about his identity or the legality of the user's actions.

Due to the specificity of the activity and the risks when investing, the Administrator introduces a restrictive minimum age threshold for registering a user profile - 20 years. In the event that the data subject is under the age of 20, he should not register and should not provide personal data about himself.

When registering on the Cashlend platform, the user enters and provides personal data for which he gives his express free and informed consent to be processed in accordance with this Privacy Policy and current legislation. The use of Cashlend services and provision of personal data is voluntary on the part of individuals, and by entering the data on their part, it is assumed that the same with their active actions express their will for the Administrator to process the provided data in accordance with this Privacy Policy .

The administrator can receive personal data for the users of the Cashlend Platform from information arrays of other personal data administrators (Ministry of Internal Affairs, National Institute of Internal Affairs and Communications, National Insurance Agency, BNB, etc.). The amount of data requested is consistent with the purpose for which it is needed, in particular for identification, verification of the user's identity and compliance with legal requirements. The administrator may receive publicly available information about the user, including, but not limited to, in the event that the user connects his user profile or identification data on the Cashlend Platform with his profile on third-party social networks/interactive applications, insofar as such technical possibility is available .

The use of the Cashlend online platform is tied to the exchange of information for the purpose of the efficient functioning and provision of the services. This exchange is automatic and is tied to the creation of server logs and the use of online identifiers. Some of this information constitutes personal data and by accepting this Privacy Policy, the user agrees to their processing. The system may automatically save log files containing IP address and other information necessary to reproduce the user's electronic statements.

Processing and storage period

The data is processed for the entire period during which the user has a registered user profile in Cashlend. The user profile may be closed according to the applicable Terms and Conditions.

After closing the user profile, the Administrator stores the data only in the cases provided by law according to the type of data, if there is an obligation for their longer storage in accordance with the applicable legislation or to exercise legal claims. In these cases, the Administrator limits their processing in the future to the most necessary for the purpose that prevents deletion by storing the data under conditions of limited accessibility, including by archiving or blocking.

Any information that has exhausted the basis and purposes for its processing is deleted, after the judgment made for this in the annual inventory process. Upon deletion, the Administrator shall notify the data subject of third parties/personal data processors to whom the data has been provided, if this has been done.

Information sharing

As a rule, the Administrator does not disclose personal data to third parties.

The administrator shares personal data on a "need to know" basis with persons who have the capacity of joint administrators by agreement.

The administrator may allow disclosure at the request of the data subject of his own data and of persons named by him. The data can be disclosed upon request by the competent state authorities if there is a legal basis for this.

Data may be provided to contractors processing personal data (e.g. accountants maintaining IT systems) and financial institutions. Toma can be done as part of the payment procedure for services used, fulfillment of concluded contracts, agreements and other legal relations, as well as for accounting and tax purposes.

The administrator does not transfer data to third countries outside the European Union and the European Economic Area. In the event that a transfer is required to persons who are outside the EU, who do not apply the necessary requirements of Regulation (EU) 2016/679, the Administrator will ensure the protection of personal data through contractual or other permissible legal instruments.

Information security measures

The administrator takes into account the inviolability of the person and makes efforts to protect against unlawful processing of the users' personal data. In accordance with the legislation and good practices, the Administrator takes all appropriate technical and organizational measures to control the risk of illegal activities, taking reasonable care for the security of the information provided.

The administrator has developed effective technical, legal and organizational measures to maintain information security, including protective methods such as coding systems and authorization systems. Data is stored on secure servers using the latest encryption algorithms and ensuring the storage of backup copies. The administrator has personally authorized persons to support the processes of lawful processing, protection and ensuring the security of data. Additional measures are implemented through anonymization and pseudonymization of data.

Despite the measures it applies to protect personal data, the Administrator is aware that, in principle, the transmission of information over the Internet or other public networks is not completely safe, and there is a risk that the data can be viewed and used by unauthorized third parties. The administrator cannot accept responsibility for vulnerabilities of these systems that are not under his control.

In the event of a data security breach, the Administrator immediately takes measures to limit the adverse consequences, notifies the supervisory authority as well as the data subject when there is a possibility of creating a high risk for the rights and freedoms of natural persons.

For his part, the data subject should also take appropriate measures to protect himself from intrusion and protect the confidentiality of his user profile, and the Administrator cannot be held responsible for the consequences of the data subject's negligence.

When the data subject publishes in forums, chat rooms or social network services personal information that is visible to other users and can be read, collected or used by them, he is responsible for the data he chooses to provide.

In case the data subject provides his personal data to the Administrator through a platform/social network (Viber, Skype, Facebook or others), he is informed that these platforms/websites/social networks have their own privacy rules and that the Administrator does not assume responsibility for these rules, insofar as the processing on their part cannot be controlled by the Administrator. In this regard, it is recommended to check their policies before sending or sharing personal data.

Rights of data subjects

The data subject has the following rights, for the exercise of which the Administrator provides the necessary assistance:

• Right to receive from the Administrator information about whether and which of his personal data are being processed, as well as the purposes and term for this processing ("right to information and access to personal data"). The data subject may request information regarding all recipients to whom the personal data for which correction, erasure or restriction of processing is requested has been disclosed. When personal data are not collected from the data subject, the Administrator provides the available information about their source;
• Right to data portability – if processed in an automated manner on the basis of consent or contract. If it is technically feasible, the transfer of the data can take place directly from one administrator to another. The right to portability covers only data provided personally by the data subject, as well as personal data generated and collected by the Administrator's activity;
• Right to erasure of personal data ("right to be forgotten") that are processed unlawfully or with a lost legal basis (expired storage period, withdrawn consent, completed original purpose for which they were collected, etc.). The administrator may refuse to delete part or all of the personal data in cases where there is a substantial reason and/or legal obligation for their processing;
• Right to correct or supplement inaccurate or incomplete personal data;
• The right to limit processing, including in the presence of a legal dispute;
• Right to withdraw consent when the processing of personal data is based on the prior consent of the data subject. Such withdrawal does not affect the lawfulness of the processing based on the consent given until the time of its withdrawal;
• The right to object - at any time and on grounds related to the individual's specific situation, if it is considered that there are no compelling legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject, or that the processing is not necessary for legal claims. When the objection is justified, the personal data of the individual concerned can no longer be processed;
• Right not to be subject to a fully automated decision involving profiling that gives rise to legal consequences for the data subject or significantly affects him;
• Right to protection under administrative procedure with a complaint to the supervisory authorities or judicial procedure with a complaint to the competent court.

The data subject is responsible for the completeness, up-to-dateness and correctness of the data they provide. If a discrepancy between the provided data and the current information is established or occurs, the data subject has the right and obligation to correct the discrepancy or request the Administrator to do so.

Fulfillment of rights by data subjects

Data subjects exercise their rights by making a request to the Administrator, which can be submitted in writing in traditional or electronic media, including by email. The Administrator's correspondence details are indicated in the contact form on the website and in this Security Policy.

The administrator shall provide the data subject with the requested information in the exercise of his rights, without undue delay and in any case within one month of receipt of the request. When the request is submitted by electronic means, the information shall be provided electronically, if possible, unless the data subject has requested otherwise and without excluding other means of communication. If the Administrator will not act on the request, he shall notify the data subject without delay or at the latest within one month, indicating the reasons and the possibility of filing a complaint with a supervisory authority or seeking legal protection.

The provision of requested information and any communication or action in connection with the exercise of the user's rights is initially free of charge for the user. When the data subject's requests are manifestly unfounded and excessive (for example, in cases of repetition), the Administrator has the right to impose a reasonable fee or refuse to take action, having to prove the unfoundedness and excessiveness.

When the Administrator has reasonable doubts about the identity of the person submitting a request, he may request additional information necessary to verify and ensure the security of the data.

The data subject has the right to submit a complaint against the Administrator to the supervisory authority if he considers that the processing of personal data concerning him violates the applicable legislation on the protection of personal data. The supervisory authority in the Republic of Bulgaria is the Commission for the Protection of Personal Data with address: Sofia 1592, "Prof. Tsvetan Lazarov" №2, e-mail kzld@cpdp.bg, website: www.cpdp.bg, telephone: +3592 915 3 518.

"Cookies"

The use of online services is related to the automatic exchange of information between the user's device and the Administrator of the web service (in this case, the Administrator of personal data). This information allows the website to function, as well as to remember the user's preferences (language used, security settings and other display settings) for a certain period of time, so that the settings do not have to be made every time you visit the site or switch from one page to another.

"Cookies" are small text files that contain precisely such information that is not used for the purpose of identifying users, but may itself contain data that meets the definition of personal data.

The use of "cookies" is subject to the user's consent when they track his actions within the website in order to display analytical and statistical data on site visits.

If the user accepts the use of these cookies, he can revoke his consent at any time by disabling cookies for a web page through the settings of the Internet browser he is using. There are the mandatory cookies, called "strictly necessary", which provide functions without which the website cannot function. They do not require user consent.

Contacts

If you cannot find an answer to any of your questions related to the processing of personal data in this document or you need additional information, you can contact the Administrator in the ways indicated below.

• Phone: +359 888 52 55 49
• E-mail: info@cashlend.bg
• Contact person: Venelin Todorov – Manager

Policy changes

Any change in this Privacy Policy will be published on the website of the Administrator in a timely manner - Cashlend.bg.

Last updated: 07/01/2022