Privacy Policy

1 Who are we?

This Privacy Policy applies to the personal data processing activities of Diarough Invest S. A. incorporated under the laws of Luxembourg, (hereinafter “Diarough Invest S. A.”, “we”, “us”, “our”).

This Privacy Policy describes how we collect, use and share any information that, used alone or in combination with other information, relates to you (called “personal data”) in connection with the assignment of receivables owed by you, or otherwise communicate personal data to us in the context of our activities and services.

2 What does this Privacy Policy cover?

We value your right to privacy and strive to protect your personal data in accordance with the applicable data protection legislation, including the General Data Protection Regulation 2016/679 (“GDPR”) and its national implementing laws. We will only collect and use your personal data in the manner and for the purposes as described in this document and that are consistent with our obligations and your rights under the applicable legislation and regulations.

This Privacy Policy explains on what legal basis we may process your personal data and:

what personal data we collect;
for what purposes and how we may use/process such personal data;
how we collect the personal data;
how we store the personal data;
for what period we store the personal data; and
what your rights are under the applicable data protection and privacy

In this Privacy Policy we set forth how we collect your personal data, how and for what purposes we may use them and to whom your personal data may be disclosed. Further, this Privacy Policy includes important information regarding your rights with respect to the processing of your personal data, including your right to withdraw consent (‘opt-out’) for direct marketing (e.g. promotional e-mail updates) at any moment in time.

From time to time, we may need to update this Privacy Policy. This may be necessary, for example, if the law changes or if we change our business in a way that affects the way we process personal data. The most recent version of this Privacy Policy will always be available on our website www.claritycapitalfinance.com. You may also ask us to send you a copy of the most recent version of this Privacy Policy. In the event that the Privacy Policy will materially and/or substantially change and provided that we your e-mail address, we will actively inform you of this change and provide you with the new version of the Privacy Policy.

3 What role do we play in the processing of your personal data?

Pursuant to applicable data protection and privacy legislations, we qualify as the controller with respect to the processing of your personal data.

Where we collect and process personal data, we qualify as joint controller together with the other entities in Diarough Group.

4 Whose personal data do we process?

This Privacy Policy is relevant for anyone whose personal data we may process in the context of our (business) activities, including but not limited to:

Individuals (debtors) in relation to whom we have acquired receivables in the context of our activities;
Directors, authorized representatives, employees and/or (other) contact persons of debtors in relation to whom we have acquired receivables in the context of our activities;
Potential customers who have provided us information

If you fall within any of these categories, we encourage you to carefully read this Privacy Policy.

Where you provide personal data to us that relate to another individual than yourself (for example of the legal representative of the company you are representing), please provide the concerned individual with (a copy of) this Privacy Policy before providing us with his/her personal data.

5 How do we collect your personal data?

We may collect information about you in various ways:

Directly from you, for example when you provide us with your personal information by contacting us or when a contact person provides his/her personal data by email, indirectly through upload in systems of service providers you work
Indirectly, through a transfer of receivables and ancillary documents and information, including through an online
Otherwise, through information accessible freely or a service in the public domain, for example Dun and Bradstreet, Buro Van Dijck, Kruispuntbank, Luxembourg Business Registers, and the like for respective jurisdictions,

6 What personal data do we collect and for what purposes do we use such data?

We process your personal data in the manner indicated in the table below. The legal bases used for our data processing activities are:

The processing is necessary for the performance and execution of a contract with you (Article 6, 1, (b) GDPR);
The processing is necessary for compliance with legal obligations (including our obligations under applicable tax laws, our legal administration obligations, to cooperate with supervisory authorities) (Article 6, 1, (c) GDPR);
The processing is necessary for our legitimate (business) interests (Article 6, par. 1, (f) GDPR); or
If applicable laws require so, we will process your personal data upon your (explicit) consent (Article 6, par. 1 (a) GDPR). If any kind of processing is based on your consent, we hereby inform you that you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its

Personal data	Purpose	Legal basis
Names Contact details, including but not limited to addresses, telephone numbers and email addresses Position/job title Signatures Business/company information Excerpts of registers (public or not, for example excerpts from the Chamber of Commerce)	In order to collect receivables, including related accounting purposes and verify eligibility	Article 6, par. 1, (b) GDPR Article 6, par. 1, (f) GDPR
Names Position/job Other (personal) information you provide if you send us an email or otherwise contact us	To contact you / to communicate with you, for example via email correspondence and/or telephone calls;	Article 6, par. 1, (b) GDPR Article 6, par. 1, (f) GDPR
Names Contact details, including but not limited to addresses, telephone numbers and email addresses Position/job title Signatures Business/company information Excerpts of registers (public or not, for example excerpts from the Chamber of Commerce) Payment information/bank account details	To deal with possible disputes, to establish, defend and exercise our (legal) position	Article 6, par. 1, (b) GDPR Article 6, par. 1, (f) GDPR
Names Business/company information Excerpts of registers (public or not, for example excerpts from the Chamber of Commerce) Payment information/bank account details	To reconcile information received through different channels	Article 6, par. 1, (f) GDPR

In addition, all the personal data listed above can – where necessary – also be used for the handling of inquiries and complaints, and for the management of our legal disputes. This is based on our legitimate interests to defend our legal rights both inside and outside of court proceedings.

You have the possibility to refuse that your personal data are used for electronic direct marketing purposes at the moment we collect these data from you or any time after, by clicking the ‘unsubscribe’ link at the bottom of our marketing e-mails or by sending us an e-mail or a letter at the contact details indicated below.

7 How long will we keep your personal data?

We will not store or keep your personal data for a longer period than is necessary in light of the purposes for which we process them (we refer to the purposes as listed above in title 6). Only where we are legally obliged to, or where this is necessary for defending our interests in the context of judicial proceedings, we will store the personal data for longer periods.

More specifically, the following storage periods apply:

Category of personal data			Storage period
Name and contact details, job/position, signature			5 years after our contracting/business relationship ended.
Invoices and other financial documents			7 years after the date of the invoice.
Bankstatements Reportings containing personal data			7 years after the date of the invoice 7 years after the date of the invoice

8 How do we protect your personal data?

We use appropriate technical and organizational measures to protect the personal data we collect and process. The measures we take are designed to provide a level of security appropriate to the risk of processing your personal data. We protect your personal data against destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

Further, we seek to ensure that we keep your personal data accurate and up to date. In view thereof, we kindly request you to inform us of any changes to your personal data (such as a change in your contact details).

9 With whom do we share your personal data?

In the context of the purposes as listed above, we may share your personal data with third parties. The third parties to which we can communicate some of your personal data are the following:

Our third-party suppliers, service providers and partners who provide a data processing service to us, or who process personal data for purposes described in this Privacy Policy, or who are notified to you at the time of collection of your personal data. This may include communications to service providers that we use in connection with the services they provide to us, including to support us in areas such as IT platform management or support services, infrastructure or application services, credit rating, marketing, and data analysis;
Any appropriate law enforcement agency, regulator, government agency, court, or other third party, when such disclosure is necessary (i) under applicable laws, (ii) to exercise, establish, or defend our rights, or (iii) to protect your vital interests or those of any other person;
Our auditors, advisors, legal representatives and similar agents in connection with consulting services they provide to us for legitimate business purposes;
Any prospective Investor (and its agents and advisors), in connection with a proposed purchase, merger or acquisition of a portion of our business if this is required in the context of that transaction; and

Where relevant, we will implement safeguards to ensure the protection of your personal data when disclosing your personal data to a third party. For example, we will enter into data processing agreements with relevant data processors, providing for restrictions on the use of your personal data and obligations with respect to the protection and security of your personal data.

The parties to whom we may disclose your personal data may be located in countries outside the European Economic Area (EEA), such as UK, USA, India, which countries may offer a lower level of data protection than in the country in which we are established. For example, such could be the case for some of our IT service providers or when your order requires that we resort to transport & logistics providers outside the EEA.

In such case, measures are taken to ensure adequate protection of your personal data in accordance with the applicable data protection legislation. Generally, we will enter into Standard Contractual Clauses (as approved by the European Commission) with the recipient of your personal data. You may contact us by sending an email or a letter to the contact details indicated below, if you wish to obtain a copy of the Standard Contractual Clauses entered into or insight into other adequate measures taken.

10 What are your rights and how can you exercise them?

You have the following data protection rights, subject to the conditions and restrictions set out in Articles 12-22 of the GDPR:

Rights	Description
Right to information and right to access your personal data	You may at any time request more information on our processing activities and your personal data that we are keeping, as well as a copy hereof.
Right to rectification of inaccurate or incomplete personal data	You have the right to require us to, without undue delay, rectify or complete any of your personal data that is inaccurate or incomplete.
Right to deletion of your personal data (‘right to be forgotten’)	You may request us to delete your personal data or part of your personal data in the following situations: – when the processing is no longer necessary for achieving the purposes for which they were collected or otherwise processed; – when the processing was based on your consent and you have decided to withdraw that consent; – when you object to the processing of your personal data within the limits of the exercise of your right to object; – in the event we would unlawfully process your personal data; or – when your personal data have to be erased in compliance with a legal obligation imposed on us. Note that we may refuse to delete your personal data: (i) if it is justified by the exercise of the right of freedom of expression and information; (ii) for compliance with a legal obligation; or (iii) for the establishment, exercise or defence of legal claims.
Right to restriction of processing	You may request us to permanently or temporarily restrict the processing of your personal data in the following situations: – when you have contested the accuracy of your personal data, for a period enabling us to verify their accuracy; – in the event we would unlawfully process your personal data and you would request the restriction of the use of your data instead of the deletion of your data; – when we no longer need the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims; or – pending verification whether our legitimate grounds override yours within the framework of an objection.
Right to object to the processing of your personal data (free of charge)	When we process your personal data based on our ‘legitimate interests’, you may object to the processing of your personal data, provided that you invoke ground relating to your particular situation. We will then no longer process your personal data, unless we have compelling legitimate grounds to do so, or if such processing is necessary for the establishment, exercise or defence of legal claims. When we process your personal data based for direct marketing purposes, you may at any time object to this processing without any justification. You also have the right not to be subject to profiling for direct marketing purposes.
Right to data portability	In some cases, you have the right to receive all your personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. This right applies: – in case the processing is based on consent or on the necessity for the performance of a contract; and – in case the processing is carried out by automated means.

Finally, you have the right to lodge a complaint with the Luxembourg Data Protection Authority relating to the processing of your personal data by us. You can find the contact details of this authority on http://www.cnpd.lu/.. Please find a list of other EU supervisory authorities here: https://edpb.europa.eu/about-edpb/board/members_en.

In principle you may exercise these rights free of charge. Only where requests are manifestly unfounded or excessive, we may charge a reasonable fee. Further information and advice about your rights can also be obtained from the data protection authority in your country. We might (if deemed necessary) request a proof of identity in advance in order to validate your request.

11 Contact

If you have any questions, comments, requests or complaints in relation to this Privacy Policy or the processing of your personal data by us, please feel free to contact us by sending an e-mail to legal@egon.lu.