Privacy policy

1.1 Operator of personal data

In this internal regulatory document, the terms "Company" or "Microinvest" refer to the entire Microinvest Group, which includes O.C.N. Microinvest S.R.L. and Microinvest Technology S.R.L., as applicable. Depending on the specific context, these terms may refer exclusively to O.C.N. Microinvest S.R.L., either in relation to both entities or solely to O.C.N. Microinvest S.R.L., if no other specification is made in the express provisions of this document.

O.C.N. MICROINVEST S.R.L. is a commercial company registered under the laws of the Republic of Moldova with the State Registration Chamber on April 29, 2003. The company has the unique fiscal code 1003600053518 and its registered office is located at 12 Renașterii Naționale Blvd, Chisinau. As a data controller, it processes personal data in accordance with Law No. 133 of July 8, 2011, on the protection of personal data (hereinafter referred to as Law No. 133), as well as other relevant legal and regulatory provisions governing personal data protection. Its business activities are focused on providing non-bank financial services.

The National Center for Personal Data Protection is the supervisory authority in the Republic of Moldova, responsible for overseeing and ensuring the legality of personal data processing. The Company, as the Data Controller, processes personal data in good faith and for the purposes outlined in this policy.

1.2 Purpose of the Policy

This policy aims to provide consistent information to any individual whose personal data is processed or may be processed as a result of interacting with the Company. It applies to the following individuals, collectively referred to as "Data Subjects" or "Personal Data Subjects":

• Customers (even after the termination of contractual relationships), potential customers, individuals with whom the Company conducts occasional transactions, legal or conventional representatives of the Customer, Guarantors, wage/ mortgage debtors;
• Contact persons, employees, and/or individuals designated by a Customer of the Company (even after the termination of the contractual relationship);
• Contact persons, legal or conventional representatives, collaborators, employees, and/or individuals designated by a contractual partner of the Company;
• Employees of the Company;
• Candidates wishing to fill positions within the Company;
• Visitors to the Company’s official websites, official social media pages, when browsing leads to the processing of personal data, including automated remote systems, chatbots;
• Visitors to the Company’s offices, where video surveillance cameras are installed, without the purpose of identifying the individual;
• Users of the Personal Cabinet/Mobile Application;
• Individuals who have submitted a petition to the Company and do not fall under the categories listed above.

The information provided to the data subject/about the individual concerned, regarding the purpose and conditions for the processing of personal data, is ensured through the relevant notifications in the forms presented to them within the services provided (applications/contracts/questionnaires/statements), via the website and automated remote service systems, as well as through other communication channels established within the company. At the same time, this Privacy Policy explains how the Company processes personal data, describes the types of personal information processed, the purposes of personal data processing, establishes the rights of the data subjects concerning their personal data, outlines how these rights can be exercised, and provides details about cookies.

 

1.3 Relevant definitions used

Relevant definitions in the context of personal data protection:

Personal Data – any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more specific elements of their physical, physiological, mental, economic, cultural, or social identity.

Personal Data Processing – any operation or set of operations performed on personal data, whether automated or manual, such as collection, recording, organization, storage, retention, retrieval, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination, or otherwise, alignment or combination, blocking, deletion, or destruction.

Data Subject – may be the applicant for a product or service offered by the Company, their authorized representatives, as well as any other natural persons whose Personal Data may be transmitted or collected by the Controller for the purpose of carrying out Personal Data processing activities, both for its own purposes and on behalf of and for the benefit of its contractual partners, according to the purposes determined by them.

Within its operations, the Company processes the following categories of personal data related to an identified or identifiable natural person (data subject):

 

• Identification and contact details – First and Last Name, national identification number (series and number of the identity document), a copy of the identity document, signature, date and place of birth, gender, nationality, handwritten signature, home address, residence address, correspondence address, telephone number.
• Contact and identification details for remote communication means – telephone number, email address, electronic signature, IP address(es), operating system and platform of the electronic devices used to connect to the Company's information systems, unique identification and authentication codes: client code, login, one-time password (OTP), authentication type (native biometric of the phone and/or login PIN hash from the mobile application), biometric data (fingerprint or facial biometric image used to unlock the device), mobile phone name (device type and brand), other information included in cookie files, etc.
• Financial data and information necessary to assess the payment capacity – types of income and expenses, credit history information, any other information provided by entities such as the Credit Bureau; data regarding movable/immovable property owned (addresses, cadastral numbers, data from the Movable Property Register, data from the State Transport Register).
• Social and family data – family status, profession, occupation, workplace/employer's name, health insurance, professional training, nature of the individual’s activity.
• Political affiliation data – information related to being a politically exposed person, in specific cases, processed only as required by legislation on preventing and combating money laundering and the financing of terrorism.
• Fraud-related data – accusations, convictions related to crimes such as fraud, as well as data from public media sources that may reveal information about fraudulent or potentially fraudulent activities, money laundering, and terrorism financing, data regarding international sanctions.
• Data related to image, photo, voice, or geolocation – image (contained in identity documents or captured by video surveillance cameras installed at the Company’s premises), voice, including in telephone conversation recordings, or both in the case of promotional spots of the Company involving clients. Geolocation (e.g., for displaying the nearest Secondary Offices of the Company).
• Other data necessary for business purposes.

The Company avoids processing data from the special category of personal data (racial or ethnic origin, political, religious beliefs, health status or intimate life, as well as criminal convictions), except in cases where:

• The processing is necessary to fulfill obligations and exercise specific rights, as authorized by applicable legislation;
• The processing concerns personal data made public;
• The processing is necessary for the establishment or exercise of a right in court.

Refusing to provide the necessary personal data to the Company for the intended/requested activities may prevent the provision of services and/or the fulfillment of other data processing purposes.

Purpose of data processing

The non-banking financial activity of the Company is regulated by legislation in most of its aspects, ranging from customer identification, confidentiality of the relationship, prudence, and diligence in providing services, to security measures and even the way in which contractual partners are selected. In addition to the legal framework and contracts, the Company also relies on legitimate interest when processing personal data. Thus, personal data is processed for the following purposes:

a) For the execution of a contract to which the data subject is a party or for taking measures before the conclusion of the contract, at the request of the data subject, the company may process data for purposes such as:
assessing eligibility and creditworthiness in order to provide the company’s products and services;
managing any contractual relationships (with clients, collaborators, members of the supervisory board, partners, or employees of the company);
ensuring the proper and secure execution of financial transactions: at the counter, via transfer, card, POS, payment terminals, etc.;
monitoring all obligations assumed towards the Company;
collecting debts/recovering claims (including activities leading up to this);
establishing, exercising, or defending rights in court or before other authorities;
managing requests/complaints/petitions/investigations related to the company’s activities, services/products, or employees;
concluding and executing employment contracts;
b) For compliance with legal obligations, the Company needs to process data for purposes such as:
applying measures to prevent and combat money laundering, terrorism financing, and fraud, in order to identify and know the clientele, assess risks, and report transactions;
providing reports and information upon request by public authorities (e.g., courts, investigative bodies, enforcement authorities, notaries, tax authorities, supervisory authorities, the Service for Preventing and Combating Money Laundering (SPCSB), etc.);
managing audits, reports, as well as inspections and investigations by national authorities;
ensuring security at the Company’s premises/offices;
managing credit risk and risk management by creating risk profiles;
preserving/storing/archiving documents;
implementing data security measures and managing business continuity in case of unforeseen situations, including by making backup copies.
implementation of means that allow any person to report discrepancies/discontent related to the services provided by the Company;
compliance with labor legislation regarding employee relations.

 

c) In order to achieve/monitor the legitimate interests the Company has in connection with the proper management of its activities, provided these interests do not harm the interests or fundamental rights and freedoms of the data subject, the Company may process data for purposes such as:

- design, development, testing, and use of information systems and services (including storage/archiving of databases, designing credit risk assessment models - rating, scoring, etc.);

- diversification of products and services and their adaptation to customer needs;

- offering products/services, including online, for the company’s clients who benefit from the services provided;

- recording communications via digital/analog channels (e.g., the company’s website, online chat, mobile application, email, etc.);

- maintaining the reputation, integrity, and security of the business;

- simple marketing and conducting surveys regarding the services offered by the Company and its activities;

- identifying the assets and updated contact details of clients and partners, for exercising the Company’s rights regarding debt recovery, enforcement of amounts due, and managing seizures;

- recruitment and human resources concerning the Company’s candidates and employees, internships, training participation, provision of benefits;

- providing security and protection for the buildings, assets, staff members, and visitors of the Company through the video surveillance system;

- transmitting and receiving credit information from entities like Credit Bureaus regarding loans taken out by clients (e.g., credit risk status and overdue loan information, as well as information about credit products, or other commitments the client benefits from), for initiating, carrying out, and monitoring credit relationships with clients;

- providing responses/information, addressing requests/complaints/notifications of any kind made through any channel, including digital ones;

- for statistical purposes;

- other purposes related to the Company’s activities.

 

d) Certain data processing of the data subjects is only carried out by the Company if it has the consent in this regard or another legal basis. Consent or another legal basis is required to process data for purposes such as:

- direct sending of advertising messages (direct marketing) to promote products and services;

- analysis of transaction history, characteristics, and transaction initiation locations, in order to personalize dedicated offers.

In the cases described in points a) - c) above, the consent of the data subject is not required.

Personal data is processed by the Company according on the following legal grounds:

Based on the consent of the data subject, in accordance with Article 5 (1) of Law no. 133/08.07.2011, regarding the Protection of Personal Data. After the consent has been requested and given for certain data processing activities, it may be withdrawn by the data subject at any time. The withdrawal of consent will not affect the legality of the data processing carried out prior to the withdrawal, nor will the contractual relationship be affected.

For the execution of a contract to which the data subject is a party or for taking steps at the request of the data subject before the conclusion of a contract (e.g., providing the credit product, communication with the data subject for the execution of the contract, analysis necessary to assess payment capacity, etc.), in accordance with Article 5 (5) (a) of Law no. 133;

For the fulfillment of a legal obligation of the Company (e.g., reporting to competent authorities, knowing the clientele for the purpose of preventing money laundering and financing terrorism, etc.), in accordance with Article 5 (5) (b);

For the legitimate interests pursued by the Company (e.g., debt collection related to the contractual relationship, ensuring the security of individuals and property, etc.), but with due consideration for protecting the interests, rights, and fundamental freedoms of the data subject, in accordance with Article 5 (5) (e) of Law no. 133.

In order to achieve the processing purposes listed in Chapter 3 of this policy, the Company may transmit some or all categories of personal data to the following recipients:

• employees of the Company within specific departments;
• public institutions  for supervision of non-bank lending activity;
• authorities or individuals authorized by law to request this information;
• entities organized as Credit Bureaus;
• bailiffs, in accordance with and within the limits set by the enforcement document, notaries, auditors;
• judicial courts, for the purpose of resolving a pending case;
• contractual partners and service providers such as: printing services, IT and telecommunications services, document destruction services, debt collection or claim recovery companies, marketing companies, IT application and system suppliers, etc.;

All the above mentioned recipients are contractually and / or legally obliged to comply with the legal requirements and the measures of security and confidentiality of personal data.

The Company performs an appropriate prior assessment upon selection of service providers and imposes adequate security, technical and organizational measures to protect personal data and to process personal data only under the relevant legislation on personal data. ements and the measures of security and confidentiality of personal data.

In order to achieve the purposes outlined in this Policy, personal data will be processed by the Company throughout the contractual relationship with the data subjects concerned and after its termination, in order to comply with the applicable legal obligations, including those related to archiving. The legal retention periods for archiving vary depending on the type of data, and in some cases, may extend up to 75 years.

 

In general, transaction data should be kept for 5 years after the termination of the business relationship with the customer or from the date of a one-time transaction. However, the data may be retained for a longer period upon the request of the authorities, which cannot exceed an additional 5 years, or for the protection of legitimate interests.

 

The personal data specified in the loan application, as well as those processed for customer verification purposes to prevent and combat money laundering and terrorism financing, are stored in the Company’s records for a period of 5 years from the date of signing the loan application if it is rejected, and for a period of 5 years from the date of termination of the credit relationship if a credit agreement is concluded following the approval of the loan application.

 

For data processed under the consent of the data subjects, including for marketing purposes, the Company will continue processing the data until the consent provided by the data subject is revoked.

 

To demonstrate that petitions/complaints/inquiries/requests for information/measures have been received and responses have been made, including for quality control of the responses provided by the Company, such messages received through any channel will be kept in the Company’s records in both paper and/or electronic format, depending on how they are received and responded to, during the business relationship with clients, or for a period necessary to fulfill the purpose for which the data were processed (responding/providing information), plus an additional period of 3 years – the legal prescription period, if the data do not pertain to individuals with whom the Company has established a business relationship.

 

Personal data processed for recruitment purposes will be retained by the Company until the recruitment process for the available position is completed. If the data subjects wish to be contacted for multiple suitable positions, the CV data and other records they have voluntarily provided to the Company for this purpose will be kept for up to 2 years, unless they request their deletion within this period.

 

The retention period of data obtained through the video surveillance system is proportional to the purpose for which the data are processed and does not exceed 90 days, after which the recordings are automatically deleted in the order in which they were recorded. In the event of a security incident, the retention period for the relevant footage may exceed the normal limits, depending on the time needed for further investigation of the security incident.

 

Any other personal data processed by the Company for other specified purposes will be retained for the period necessary to achieve the purposes for which they were collected, to which may be added non-excessive retention periods established in accordance with the applicable legal obligations, including, but not limited to, archiving provisions.

For complete information and in accordance with the provisions of the Law on the Protection of Personal Data, data subjects have the following rights regarding their personal data processed by the Operator.

Right to Information – the right to receive information about the personal data processing activities carried out by the Company as the Data Controller or the person authorized by it, as well as information about the rights of the data subject.

Right of Access to Data – data subjects have the right to access their personal data and to obtain confirmation as to whether or not the Company processes their personal data. They also have the right to obtain information regarding the purposes of processing, the categories of data involved, and the recipients or categories of recipients to whom the data are disclosed, as well as the communication of the personal data being processed, and any available information regarding the origin of these data. This allows them to verify whether their data are being processed in accordance with the legal provisions in this field.

Right to Rectify Data – data subjects have the right to rectify, update, block, or delete their personal data. If the personal data held by the Company are incorrect, inaccurate, or incomplete, data subjects have the right to request the correction of their data. The deletion of data is also referred to as the "right to be forgotten," under which data subjects may request the deletion of their personal data processed by the Company if there is no longer a legal basis for processing them. However, there may be situations in which the Company cannot comply with a deletion request, such as: when the Company is legally required to retain personal data; when the data are stored for archiving purposes in the public interest or for statistical purposes; when the data are necessary for establishing, exercising, or defending a legal right in court.

Right to Object – data subjects have the right to object, at any time, for legitimate and reasonable grounds related to their particular situation, to the processing of their personal data, including profiling. Additionally, data subjects may object at any time, free of charge and without justification, to the processing of their data for marketing purposes.

Right Not to Be Subjected to a Decision Based Solely on Automated Processing – data subjects may request the withdrawal, cancellation, or reassessment of any decision based solely on automated processing (without human involvement), including profiling, the determination of payment capacity, and the assessment of certain aspects of their personality (such as professional competence, credibility, or behavior), which produces legal effects concerning the data subject.

Right to Access to Justice – data subjects have the right to refer the matter to the court for compensation of material and moral damages if they have suffered harm as a result of unlawful personal data processing or if their rights and interests guaranteed by Law No. 133 have been violated.

To exercise these rights, or if they believe that the Company's processing of personal data violates the legal provisions in the field of data protection, the data subject may file a complaint or send a written request, dated and signed either in hand or electronically, to the Company’s contact address provided in the contact section of the official website https://microinvest.md/contacte/ or via email at protectiadatelor@microinvest.md.

Their request will be analyzed and addressed without delay, in accordance with internal procedures and applicable legislation. Unsubscribing from the "newsletter" can be done independently, voluntarily, and free of charge at any time by accessing the unsubscribe link at the end of the newsletter received.

8.1 Notion of cookies

Cookies – The website www.microinvest.md, along with the online Personal Account provided by the Company, may use cookies and other similar technologies when accessed by visitors. In both cases, cookie files may be stored on the user's device. Cookies are small text files created by the Company’s website in the user’s browser, consisting of letters and numbers, and are stored on the user’s computer, mobile device, or any other device used to access the internet. These cookies help the website remember information about the user's visit, such as preferred language and other settings, making future visits more convenient. Cookies are essential for a seamless browsing experience, as without them, using the internet would be far more frustrating.

In most cases, cookies do not collect or process personal data and do not identify individual users of the website.

8.2 Types of cookies used by the Company and their settings

The Company uses the following categories of cookies:
• Cookies strictly required – without which you can not operate and navigate on the company’s website, such as those that help identify, authenticate, and access the Company’s website; These cookies are necessary for the operation of the website and can not be disabled in the Company’s systems. In the browser that the user uses, it is possible to set the blocking or receipt of a warning about these cookies, but in this case, certain parts of the site may not work.
• Performance cookies – These cookies are used to improve the performance and functionality of the Company’s sites, but are not essential to their operation. The information provided by the analytics cookies module helps operators understand how visitors use sites and then use this information to improve the way content is presented to users. However, without these cookies, some functionality may become unavailable.
• Measure cookies – these cookies are strictly used for statistical purposes and allow counting of users visiting the site or how much is accessed a particular item on the page (e.g. a button). These cookies do not collect personal data and expire at the end of each session.
• Promotional cookies – These cookies are set on the site based on agreements the Company has with advertising partners (e.g., Social Media pages, Google, etc.). With the help of these cookies, partners can create a profile of site visitors, for whom it will be possible to display certain advertisements related to the Company’s website on other sites they access.

By accessing and further browsing the company’s website, being informed, the user accepts the use and placement of cookies. In any case, the user can change the settings related to cookies at any time, or can delete these cookies, through the settings related to the browser used. Details on changing browser settings can be found on the browser developer websites in the “Settings” section indicated below:

Google Chrome

Mozilla Firefox

Microsoft Edge

Microsoft Internet Explorer

Opera

Apple Safari

The data collected by cookies are generally anonymous and are hidden and cannot be used to identify a particular visitor. Persistent cookies are saved on the user’s device and are not automatically deleted when the browser is closed, unlike a session cookie, which is deleted when the browser is closed. In cases where cookies process personal data capable of identifying the person, the data subject enjoys the rights provided in this policy, regarding personal data.

The Company has a complex system of personal data security measures and continues to develop technical and organizational measures to ensure an adequate level of data protection, including data loss prevention (DLP) systems.

The Company uses advanced security methods and technologies, along with strict policies applied to employees and working procedures (including antivirus solutions, firewalls, and encryption systems). All operational and data processing systems run in secure environments to protect information from unauthorized access. Access to the Company's information/systems is granted only to authorized personnel and for clearly defined purposes, in strict compliance with internal security policies.

Identification and authentication of users accessing information in the personal data registry system is performed in accordance with the Company's internal regulatory provisions.

Technologies and means for detecting access to information in the personal data registry system are used.

Backup copies of personal data within the components of the personal data registry systems are made in accordance with the provisions of the Company's internal regulations.

The present Policy enters into force on the date of approval. As of the date this Policy enters into force, the previous versions of the Policy regarding the protection and confidentiality of personal data and cookies within O.C.N. “Microinvest” SRL are repealed, and this Policy becomes mandatory for all relevant employees of the Company.

In this internal regulatory act, the terms "Company" or "Microinvest" refer to the entire Microinvest Group, meaning O.C.N. Microinvest S.R.L. and Microinvest Technology S.R.L., as applicable, or exclusively to O.C.N. "Microinvest" S.R.L., depending on the specific context in which they are used, and to the extent applicable to both entities or only to O.C.N. Microinvest S.R.L., unless otherwise specified in the express provisions of this act.

The provisions of this Policy will be subject to periodic modification or revision whenever necessary. The Company reserves the right to make changes to the Policy regarding the protection and confidentiality of personal data and cookies within O.C.N. "Microinvest" S.R.L. at any time without the obligation to notify, should such modification be required by the applicable legislation.

This Policy, as well as any proposed changes, will be communicated to the User and data subjects by publishing the updated version on the Company’s website and at the information boards within the Company’s offices.

In case one or more provisions of this Policy contradict the provisions of the applicable legislation of the Republic of Moldova, the regulatory act issued/adopted by the authorized public authority will apply directly.