1. Purpose and General Provisions
2. Fundamental Principles of Personal Data Processing
3. Purposes of Processing and Categories of Processed Data
4. Legal Basis and Procedure for Personal Data Processing
5. Transfer of Personal Data
6. Identification and Due Diligence Measures for the Prevention of Money Laundering and Terrorist Financing
7. 8. Principles of Personal Data Protection
Procedure and Retention Periods for Data Deletion
9. Final Provisions
1.1. The Privacy and Personal Data Protection Policy ofthe data controller, the Company (hereinafter – the Privacy Policy), governs the privacy and data security matters related to the use of the online information system maintained and managed by Digilo, prior to the commencement of personal data processing. 1.2. The Privacy Policy specifies the purposes for which Digilo processes personal data, the categories of personal data that are processed, and the duration for which such personal data are retained.
1.3. Digilo processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – the
General Data Protection Regulation or GDPR); Regulation (EU) 2020/1503 of the European Parliament and of the Council of 7 October 2020 on European crowdfunding service providers for business, amending Regulation (EU) 2017/1129 and Directive (EU) 2019/1937 (hereinafter – Regulation No. 2020/1503); the applicable laws and regulations of the Republic of Latvia; and the Company’s internal regulatory acts.
2.1This Privacy Policy applies to every natural person whose data are processed by Digilo.
2.2 The principles of personal data processing and protection are observed in all data processing activities, including servicing investors, potential investors, and project owners (hereinafter – the Clients); recruiting new employees and managing information regarding existing employees; entering into cooperation agreements; initiating new processes and implementing new services; improving data processing technologies; transferring documents for archival storage; and destroying documents whose prescribed retention period has expired.
2.3. Digilo ensures a high level of confidentiality and implements data protection, information, and other relevant measures to guarantee lawful, fair, and transparent processing of personal data.
3.1. The data subjects whose personal data are processed by Digilo are natural persons who are at least 18 years of age and can be identified within the controller’s information system by their name, surname, identification number, or registration number, and who receive the services provided by the controller.
3.2. Personal data refer to all types of information that can be used to identify a specific natural person (hereinafter – the Data Subject).
3.3. Digilo processes the following categories of personal data of data subjects:
3.3.1. personal data of candidates who submit applications for vacant positions, to the extent specified in the Recruitment Policy;
3.3.2. personal data of employees, to the extent specified in the Employee Privacy Policy;
3.3.3. personal data of Clients, in accordance with the scope established by external legal acts and Digilo’s internal regulations.
3.4. Digilo processes the following categories of personal
data, unless otherwise provided in other internal
regulations of Digilo:
3.4.1. data subject’s first name and surname;
3.4.2. Identification data (identity document; registration documents; other documents requested from the data subject’s for the receipt of services);
3.4.3. Contact information
3.4.4. Bank account number;
3.4.5. Biometric data for the purposes of personal identification;
3.4.6. Financial information;
3.4.7. Location data;
3.4.8. Data concerning economic activity;
3.4.9. Data concerning professional activity;
3.4.10. Other data necessary for the use of the services provided by Digilos online platform;
3.4.11. Characteristics and attributes of a secure electronic signature.
3.5.1. To ensure the legal and legitimate interests of Digilo;
3.5.2. to provide Digilo’s services and to ensure their quality within the framework of contractual relationships;
3.5.3. Digilo requests all necessary information from the Client in order to initiate verification and due dilligence procedures required for the use of services available on Digilo’s website, as further described in other internal regulatory document's of Digilo;
3.5.4. to fulfil the legal obligations applicable to Digilo (including the identification of the Client, determination of the beneficial owner, and other actions required by applicable legal acts);
3.5.5. to ensure that Digilo’s operations comply with the requirements established by applicable laws and regulations.
3.5.6. To provide consultation and information to Digilo’s clients.
3.6. When using the services provided on Digilo’s website, additional personal data are generated, including:
3.6.1. User account number and name;
3.6.2. User password;
3.6.3. Authentication and login data;
3.6.4. Information about transactions carried out on Digilo’s website;
3.6.5. Information regarding concluded agreements
3.6.6. Information on executed transactions;
3.6.7. Information on communication between Digilo and the client;
3.6.8. Information on the flow of monetary funds.
4.1 The processing of personal data is carried out on the following grounds:
4.1.1. the data subject’s written consent within the information system for the purpose of receiving the services provided by the controller;
4.1.2. the performance of the controller’s contractual obligations and the assessment of the data subject prior to the conclusion of a contract, in accordance with the controller’s obligations set out in applicable legal acts;
4.1.3. legal obligations applicable to the controller, prior to the conclusion of a contract with the Client for the use of services available on Digilo’s website;
4.1.4. The protection of the controller’s legitimate interests.
4.2.Digilo obtains and processes from the Client only such information as is necessary to achieve the specified purposes and to ensure the provision of services in compliance with the requirements established by external and internal regulatory enactments, thereby adhering to the principle of data minimisation.
4.3. Access to personal data is granted only to those individuals who require it for the performance of their official duties and functions.
4.4. Digilo continuously monitors personal data processing activities, records every incident affecting data security, and takes measures to prevent any further data breaches or threats.
4.5. Digilo maintains a data processing register, which reflects the types of personal data processing, their purposes, and the legal basis for such processing.
5.1 In fulfilling its legal obligations and commitments, Digilo transfers personal data to its employees, suppliers, subcontractors, strategic partners, and other
parties that assist the controller’s company and its clients in carrying out business operations, solely for the purposes for which the personal data were originally provided to Digilo.
5.2. Digilo transfers personal data to third parties only when one of the following legal bases applies:
5.2.1. The data subject’s consent;
5.2.2. The protection and enforcement of Digilo’s legitimate interests;
5.2.3. to persons specified in external regulatory enactments, upon their justified request, in accordance with the procedures and to the extent established in such regulatory enactments;
5.2.4. For the purpose of performing the functions or tasks assigned to Digilo.
5.3. In the cases and to the extent provided by law, personal data may be disclosed to courts, persons associated with the judicial system (such as notaries, lawyers, and bailiffs), law enforcement authorities, and other supervisory or regulatory institutions upon their request, or in order to ensure the fulfilment of a legal obligation applicable to Digilo, or for the protection of its lawful (legitimate) interests.
5.4.Digilo may transfer personal data to the following entities:
5.4.1. State and municipal authorities, where the controller is required by law or upon the authority’s request to provide such data;
5.4.2. The controller’s employees;
5.4.3. Persons authorised by the controller;
5.4.4. Information system administrators;
5.4.5. Accounting service providers;
5.4.6. Identification service providers;
5.4.7. Cloud service providers;
5.4.8. subsidiaries providing collateral agent services in accordance with the requirements of the Financial Instruments Market Law and other applicable
regulatory enactments;
5.4.9. Lemonway, registration No. 500 486 915, registered address: 8, rue du Sentier – 75002 Paris, France (hereinafter – Lemonway);
4.4.10. Credit Information Bureau, AS;
5.4.11. Public state and municipal registers.
5.5. Digilo obtains and may transfer Clients’ personal data to third parties for the fulfilment of obligations specified in this Policy and other external or internal
regulatory enactments, prior to the Client being registered on Digilo’s website for the receipt ofservices.
5.6.By providing their personal data to Digilo, the Client expresses consent to the processing of personal data, including the verification of information, and confirms
the authenticity and accuracy of the data provided prior to being registered on Digilo’s website for the receipt of services. The Client has the right to request
information from Digilo regarding the scope and purposes of personal data processing by writing to the following email address: dana.gorina@digilo.lv.
5.7. The purpose of transferring personal data to Lemonway is to ensure the opening and management of the Client’s Payment Account for the use of services
available on Digilo’s website, as well as to ensure compliance with the requirements for the prevention of money laundering and terrorist financing, and the rules regarding the circumvention or violation of sanctions. The transfer of the Client’s personal data to Lemonway means that Lemonway carries out an independent verification and due diligence of such data in accordance with its internal rules and procedures.
5.8. The purpose of transferring personal data to Digilo’s cooperation partners and service providers is to ensure Client due diligence and compliance with the requirements for the prevention of money laundering and terrorist financing, as well as with the rules concerning the circumvention or violation of
sanctions.
6.1.On the legal basis of ensuring legitimate interests, Digilo processes the personal data of Clients and business partners in order to carry out initial
identification and to fulfil due diligence requirements related to the prevention of money laundering and terrorist financing.
6.2. For this purpose, Digilo obtains and transfers data to information system administrators and cooperation partners in order to carry out Client identification. For the purposes of Client identification, and based on the Client’s consent, the following data are collected:
6.2.1. First name, surname:
6.2.2. Personal identification number;
6.2.3. Gender;
6.2.4. Date of birth;
6.2.5. Place of birth;
6.2.6. Information from an identity document (type of document, serial number, date of issue, expiry date);
6.2.7. nationality;
6.2.8. Information regarding residential address;
6.2.9. Information on the person’s status as a politically exposed person (PEP);
6.2.10. Information on the beneficial owner;
6.2.11. Photographs obtained during the identification process;
6.2.12. Information regarding any international sanctions applicable to the person;
6.2.13. Information regarding tax obligations;
6.2.14. Biometric data;
6.2.17. Data of the operating system and web browser used for personal identification.
6.3. As part of the Client due diligence process, Digilo has the right to assess the Client’s basic knowledge regarding the use, receipt, and operation of crowdfunding and investment services, as well as their understanding of the associated risk levels.
6.4. The personal data obtained within the scope of Client identification and due diligence procedures are transferred to Lemonway, which opens the Client’s
Payment Account in accordance with the rules and procedures of Lemonway, available at the following website: https://www.lemonway.com/en/terms-and-
conditions
7.1 When processing personal data, Digilo adheres to the following principles:
7.1.1.personal data are processed ensuring their secure storage within information systems, where access is encrypted and protected by passwords and other authentication measures;
7.1.2. Personal data are processed lawfully, fairly, and in a transparant manner in relation to the data subject;
7.1.3. personal data are collected for specified, explicit, and legitimate purposes and are not further processed in a manner incompatible with those purposes;
7.1.4. personal data are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed;
7.1.5. personal data are accurate and, where necessary, kept up to date;
7.1.6. personal data are kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
7.1.7. personal data are processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, by using appropriate technical and organisational measures;
7.1.8. access to personal data is provided in accordance with the controller’s internal rules on information system access, specifying the employees who are
granted data access rights for the fulfilment of processing purposes;
7.1.9. The controller’s employees maintain confidentiality;
7.1.10. The controller performs regular information system backups, at least once (1) per month;
7.1.11. The controller’s employees maintain does not process personal data of persons under the age of 18.
7.2. Personal data are not transferred outside the territory of the European Union or the European Economic Area.
7.3. When processing personal data, Digilo uses automated information systems and ensures the involvement of Digilo’s employees in the decision-making process based on the results of personal data processing.
8.1. Personal data are retained for as long as necessary to ensure the provision of services and the fulfilment of obligations by the controller, in accordance with the
legal basis for data processing.
8.2.Personal data are stored for no longer than 60 months after the client has terminated their obligations with the controller.
8.3. The data subject has the following rights:
8.3.1. to access their personal data;
8.3.2. to request the rectification of personal data;
8.3.3. to request the erasure of personal data;
8.3.4.to object to the processing if it conflicts with the legal basis for data processing stated by the controller;
8.3.5. to request data portability or transfer, where it is possible to continue the provision of services available on the Digilo website;
8.4.6. to receive information prescribed by applicable legislation in connection with personal data processing or restrictions on processing;
8.4.7. to receive their personal data in written form or in one of the commonly used electronic formats.
8.4. For questions, suggestions, complaints, or information requests, the data subject has the right to contact the Digilo Data Protection Officer: Dana Gorina, email: dana.gorina@digilo.lv, office address: Bukultu iela 11, Rīga.
9.1. This Policy enters into force on 1 January, 2026.
9.2. The Policy and any amendments thereto are approved by the Management Board of the Company. The Company’s Legal and Compliance Officer is responsible for the implementation and enforcement of this Policy.
9.3. Digilo reserves the right to make changes or additions to this Privacy Policy by publishing the current version of the Privacy Policy on the website www.digilo.co.
9.4. This Policy has been prepared in the Latvian language, which shall be deemed the official version. The Policy consists of 10 (ten) pages. The English translation is provided for information purposes only. In the event of any discrepancy or difference in interpretation between the Latvian and English versions, the Latvian version shall prevail.