At Majestic Financial UAB, having the payment institution license issued by the Bank of Lithuania No. 34 on 4 of December 2017 (“Majestic” or Controller) we take the privacy of those we do business with very seriously and we are committed to protecting the privacy of all our clients and business partners. Data protection is of a particularly high priority for us. The use of the Majestic website is possible without any indication of personal data; however, if a data subject wants to use Majestic services via our website, processing of personal data will become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain consent from the data subject.

As Majestic collects and uses personal data, Majestic is obligated to use and process personal data of data subjects only in accordance with this Privacy Policy (hereinafter – the Privacy Policy), as well as, applicable legislation, including the General Data Protection Regulation (2016/679) (hereinafter – GDPR), the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania, Law on Legal protection of personal data of the Republic of Lithuania and other applicable legal acts.

Majestic values your trust and by means of this Privacy Policy, Majestic would like to inform you of the nature, scope, and purpose of the personal data we collect, use and process. This Privacy Policy provides also basic rules for collecting, storing, processing and retention of your personal data and other information relating to you. Furthermore, you are informed, by means of this data protection declaration, of the rights to which you are entitled. Majestic has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed.

Please read the following carefully to understand our practices regarding personal data and how Majestic will process it.

Definitions

The privacy policy (hereinafter referred to as: “Policy”) of Majestic is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR). In this Policy, unless it is expressly provided otherwise, or the context otherwise required, the following terms shall have the meaning set forth below:

"Data Controller" (also ”Majestic”, “we”, “our”, “us”) means Majestic Financial UAB, company code 304712140, address Mėsinių str. 5, LT-01133, Vilnius, Lithuania, a company organized and validly existing under the laws of the Republic of Lithuania, which determines the purposes and means of the processing of personal data.

"Data Subject" (also “you”, “your”) means any natural person identified or directly or indirectly identifiable on the basis of Personal Data, especially you as a potential, existing and/or former client, our client’s employee or other parties, e.g. beneficial owners, authorised representatives, business partners, other associated parties and/or person contacting us using e–mail or other communication measures.

"Data Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Data Processor" means a natural or legal person, public authority agency or other body which processes personal data on behalf of the Data Controller.

"Data Transmission" means granting access for specified third persons to data.

"Data Management" means any operation or set of operations performed by the Data Controller on data, in particular collection, record, organization, storage, alteration, usage, query, transmission, disclosure, alignment, combination, deletion and erasure of data irrespective of the means thereof.

"Personal Data" means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Consent" of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Legal obligation” means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to (e.g. to respond to a court order or a regulator).

“Legitimate interest” means the legal ground for using your personal data, e.g. in order to provide and improve services, to administer our relationship with you and our business and/or for marketing.

Principles of processing personal data

The principles we follow in order to comply with the need to protect your personal data are the following:

• “principle of lawfulness, fairness and transparency“ – your personal data is processed lawfully, fairly, honestly and in a transparent manner in relation to the data subject;
• “purpose limitation principle“ – your personal data is collected for specified, clearly defined, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• “data minimization principle“ – your personal data must be adequate, relevant and limited only to what is necessary in relation to the purposes for which they are processed;
• “accuracy principle“ – your personal data must be accurate and, if necessary, kept up to date; every reasonable step must be taken to ensure that your personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or corrected immediately/without delay;
• “storage limitation principle“ – your personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
• “integrity and confidentiality principle“ – your personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Your personal data is considered as confidential information and may only be disclosed to third parties in accordance with the rules and procedure provided in this Privacy Policy and the applicable legal acts.

Please note that in case you provide Majestic with the information about any person other than yourself, your employees, counterparties, advisers or suppliers, you must ensure that they understand how their information will be used.

Information collected, purposes and legal basis for the processing of personal data

The type of personal information Majestic collects depends on purposes and legal grounds for personal data processing and the Accounts opened or services requested. It may include:

• Contact and personal information (your or your representative’s, ultimate beneficiary owners of legal entities): title, your first name, surname, date of birth, age, gender, nationality, email address, mobile phone number, personal code, residential address and/or mailing address, identity document details, photo, signature, employment status, workplace, source of funds, sex, citizenship, evidence of beneficial ownership or the source of funds, number of shares held, voting rights or share capital part.
  
  This information Majestic may process for the purpose of conclusion of the agreement or for performance of measures at your request prior to the conclusion of the agreements, for the purpose of execution of an agreement concluded with the data subject, for the purpose of meeting the legal requirements and for the purpose of other legal and predeterminate goals which are set before the collecting personal data.
  
  The legal basis for the processing of the above-mentioned data is: to take the necessary steps before the conclusion of the agreement, execution of the agreement concluded with the data subject, fulfilling Majestic’s legal obligations.
  
  
• Account information: IBAN and account name, transactional data, account details and transaction history, date of the transaction, time, amount, currency, location, name/IP address of sender and receiver, data about beneficiary and other details about the parties involved. This information Majestic may process for the purpose of execution of an agreement concluded with the data subject including but not limited to provision of payment services, for the purpose of meeting the legal requirements and for the purpose of other legal and predeterminate goals which are set before the collecting personal data.
  
  The legal basis for the processing of the above-mentioned data is: execution of the agreement concluded with data subject, fulfilling Majestic’s legal obligations.
  
  
• Information related to legal requirements – data resulting from enquiries made by the authorities, data that enables Majestic to perform anti-money laundering requirements and ensure the compliance with international sanctions, including the purpose of the business relationship and whether you are a politically exposed person and other data that is required to be processed by Majestic in order to comply with the legal obligation to “know your client”.
  
  This information Majestic may process for the purpose of conclusion of the agreement or for performance of measures at your request prior to the conclusion of the agreements, for the purpose of execution of an agreement concluded with the data subject, for the purpose of meeting the legal requirements and for the purpose of other legal and predeterminate goals which are set before the collecting personal data.
  
  The legal basis for the processing of the above-mentioned data is: to take the necessary steps before the conclusion of the agreement, execution of the agreement concluded with the data subject, fulfilling Majestic’s legal obligations.
  
  
• Video and audio records of video calls for identification
  This information Majestic may process for the purpose of conclusion of the agreement or for performance of measures at your request prior to the conclusion of the agreements, for the purpose of execution of an agreement concluded with the data subject, for the purpose of meeting the legal requirements, for the purpose of other legal and predeterminate goals which are set before the collecting personal data and for the purpose of the provision of an answer when you contact Majestic through Majestic’s website or other communication measures.
  
  The legal basis for the processing of the above-mentioned data is: to take the necessary steps before the conclusion of the agreement, execution of the agreement concluded with the data subject, fulfilling Majestic’s legal obligations.
  
  
• Automatically gathered information when submitting application form and accessing Majestic account, including but not limited to: metadata, IP address
  This information Majestic may process for the purpose of execution of an agreement concluded with the data subject, for the purpose of meeting the legal requirements and for the purpose of other legal and predeterminate goals which are set before the collecting personal data.
  
  The legal basis for the processing of the above-mentioned data is: fulfilling Majestic’s legal obligations.
  
  
• Information provided by filling in forms on the Majestic website
  This information Majestic may process for the purpose of the provision of an answer when you contact us through our website or other communication measures.
  
  The legal basis for the processing of the above-mentioned data is: your consent and/or fulfilling Majestic’s legitimate interests.
  
  
• Information provided when communicating with Majestic
  This information Majestic may process for the purpose of conclusion of the agreement or for performance of measures at your request prior to the conclusion of the agreements, for the purpose of execution of an agreement concluded with the data subject, for the purpose of meeting the legal requirements, for the purpose of other legal and predeterminate goals which are set before the collecting personal data and for the purpose of the provision of an answer when you contact Majestic through Majestic’s website or other communication measures.
  
  The legal basis for the processing of the above-mentioned data is: your consent, fulfilling Majestic’s legitimate interests and/or Majestic’s legal obligations.
  
  
• Special category data
  Biometrical data, i.e. physical, or behavioral characteristics resulting from specific technical processing used during remote identification which confirms the unique identification of a person, e.g. facial images.
  Majestic does not process special category data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using services (e.g. in payments details).
  
  The legal basis for the processing of the above-mentioned data is: your consent.
  
  
• Any other Personal data related to you that you may provide
  The legal basis for the processing of above-mentioned data is: execution of the agreement concluded with the data subject, fulfilling Majestic’s legal obligations, your consent, fulfilling Majestic’s legitimate interests.

Direct marketing

Majestic may use existing clients’ e–mail for Majestic’s similar goods or services marketing. In case you do not object to the use of your e-mail for the marketing of Majestic’s similar goods and services and you are granted with clear, free of charge and easily realizable possibility to object or withdraw from such use of your contact details by sending each message.

Majestic may also provide the information to you being Majestic’s client about Majestic’s products or services by sending the messages in the application and such messages may be viewed in the notification center, in case you do not choose the “opt-out” function in Majestic’s application.

In other cases, Majestic may use your Personal Data for the purpose of direct marketing, if you give Majestic your prior consent regarding such use of data.

Majestic is entitled to offer the services provided by Majestic’s business partners or other third parties to you or find out your opinion on different issues in relation to Majestic business partners or other third parties on the legal basis for this, i.e. on the basis of a prior consent.

In case you do not agree to receive these marketing messages and/or calls offered by Majestic, Majestic business partners or third parties, this will not have any impact on the provision of services to you as the client.

Majestic provides a clear, free-of-charge and easily realizable possibility for you at any time not to give your consent or to withdraw your given consent for sending proposals put forward by us. Majestic shall state in each notification sent by e-mail that you are entitled to object to the processing of the Personal Data or refuse to receive notifications from us. You shall be entitled to refuse to receive notifications from Majestic by clicking on the respective link in each e-mail notification.

How does Majestic obtain Personal data?

In general, Majestic obtains personal information from the following sources: 

• Information provided by you or given to Majestic on your behalf via account opening forms, transaction forms, telephone, Majestic’s website, money transfers, and the activation, use, and servicing of your account with Majestic;
• When it is provided to Majestic by a third party which is connected to you and/or is dealing with Majestic, for example, business partners, sub–contractors, service providers, merchants and etc.;
• Third party sources, for example, register held by governmental agencies or where Majestic collects information about you to assist with “know your client” check-ups as part of Majestic’s client acceptance procedures such as sanctions list, politically exposed persons list and etc.;
• From banks and/or other finance institutions in case the personal data is received while executing payment operations;
• From publicly available sources – Majestic may, for example, uses sources (such as public websites, open government databases or other data in the public domain) to help Majestic maintain data accuracy, provide and enhance Majestic’s services. 

To the extent that applicable law requires express consent or “option” for the collection and use of personal information, Majestic will maintain processes and procedures to ensure such information is collected with express consent.

Sharing of personal data

Majestic may disclose and/or transfer your personal data only in accordance with legal regulations and the principles of confidentiality to the following categories of recipients:

• Majestic’s business partners, agents or intermediaries who are a necessary part of the provision of Majestic’s products and services;
• external service providers that help Majestic’s to provide service for you;
• third parties where Majestic has a duty to or is permitted to disclose your personal information by law, mainly: governmental bodies and/or supervisory authorities (in accordance with the requirements and obligations under the provisions of legal acts concerning anti-money laundering, fraud prevention, counter terrorist financing), credit, financial, payment and/or other electronic money institutions, pre-trial investigation institutions, the State Tax Inspectorate;
• third parties where reasonably required to protect Majestic’s rights, systems and services, mainly: lawyers, bailiffs, auditors etc.;
• service providers such as: cloud storage/servers providers, card issuing institutions (such as Visa or MasterCard), other service providers with which Majestic has concluded service provision agreements (e.g. companies providing services for money laundering, politically exposed persons and terrorist financing check-up, other fraud and crime preventions) or when mentioned sharing is mandatory according to applicable laws.
• beneficiaries of transaction funds receiving the information in payment statements together with the funds of the transaction;
• if Majestic becomes involved in a merger, acquisition or any form of sale of some or all its business or assets, Majestic may disclose your personal data to third parties in connection with the evaluation of the transaction;
• other entities that have a legitimate interest or the Personal Data may be shared with them under the contract which is concluded between you and Majestic.

Majestic may also disclose your Personal Data, if Majestic is under a duty to disclose or share your personal information in order to comply with any legal or regulatory obligation or request.

The clients on-boarding tools used by Majestic

In order to make your identity verification, Majestic is using several tools/solutions provided by our partners.

Majestic is using the SUMSUB solution provided by our partner SUMSUB LTD Limited. The solution matches the photo image or video records of your face point that you provide through a mobile app or camera with your ID document. For more information on SUMSUB LTD please read its privacy policy https://sumsub.com/privacy-notice/

SUMSUB LTD solution is used for comparing live photographic data or video record of yourself and your ID card/passport, to comply with legal obligations (e.g. implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention of the Republic of Lithuania and other fraud and crime prevention purposes) and risk management obligations.

The result of the face similarity (match or mismatch) will be retained for as long as it is necessary to carry out verification and for the period required by anti-money laundering laws.

We ensure that the checks disclosed above are a process of comparing data acquired at the time of the verification, i.e. this is a one-time user authorization.

Your provided biometric data is not created, recorded and stored. It is not possible to regenerate the raw data from retained information. These processes shall allow us to verify you more precisely and will make the process quicker and easier to execute.

If you do not feel comfortable with this identification method disclosed above, you may contact us by email at applications@majestic.eu for alternative way to identify yourself.

International transfer of Personal Data

As Majestic provides international services your Personal Data may be transferred and processed outside the European Economic Area (hereinafter – the EEA).

The transfer of Personal Data may be considered as needed in such situations as, e.g.:

• in order to conclude the contract between you and Majestic and/or to fulfill the obligations under such contract;
• in cases indicated in laws and regulations for protection of our lawful interests, e.g. in order to bring proceedings in court/other governmental bodies;
• in order to fulfill legal requirements or in order to realize public interest.

In case your Personal Data is transferred outside the EU and the EEA, Majestic will take all steps to ensure that your data is treated securely and in accordance with this Privacy Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable to the Personal Data.

This can be done in a number of different ways, for example:

• the country to which Majestic send the Personal Data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;
• the recipient has signed standard data protection clauses which are approved by the European Commission;
• special permission has been obtained from a supervisory authority.

Majestic may transfer Personal Data to a third country by taking other measures, if it ensures appropriate safeguards as indicated in the GDPR.

Data subject’s rights in relation to the personal data

You as a data subject have a number of rights in relation to your personal data. Under certain circumstances and in accordance with EU or other applicable data protection laws, you may have the right to:

• Right to be informed about the processing of your personal data – you have the right to get information about which personal data concerning Majestic processes. However, this right may be restricted by legislation, protection of other persons’ privacy and consideration for the Majestic’s business concept and business practices. The Majestic’s know-how, business secrets as well as internal assessments and material may restrict your right of access.
• Right to rectification of incorrect or incomplete data – if it turns out that Majestic processes personal data about you that is inaccurate, you have the right to request a rectification of the personal data. You can also request to have incomplete personal data about you completed.
• Right to erasure – you have the right to have any or all of your personal data erased. Provided Majestic does not have any continuing lawful reason to continue processing or holding your personal data, Majestic will make reasonable efforts to comply with your request. In certain cases, Majestic cannot erase all of your personal data. In such case this would be due to the fact that Majestic needs to store your Personal Data due to a contractual relationship or law.
• Right to restriction of processing of your personal data – you may also ask Majestic to restrict processing your personal data for a period of time. This can pertain, for example, to a situation where you believe it is unlawful for Majestic to do so and/or data about you is inaccurate and Majestic needs to verify it. It can also pertain to a situation where you object to processing that Majestic bases on a legitimate interest. In such case Majestic must verify, if Majestic’s grounds override yours.
• Right to object to any use of your personal data which is based on the legitimate interests – where Majestic relies on Majestic’s legitimate interests as the legal basis for processing your personal data, you have the right to object to Majestic using your personal data, unless Majestic’s reasons for undertaking that processing outweigh any prejudice to your data protection rights.
• Right to personal data portability – in certain situations you can ask Majestic to transfer your Personal Data to another data controller or provide directly to you in a convenient format (NOTE: applicable to personal data which is provided by you and which is processed by automated means on the basis of consent or on the basis of conclusion and performance of the contract).
• Right to withdraw your consent – in certain situations, where Majestic relies on your consent as the legal basis for processing your personal data, you may withdraw your consent at any time. In case you withdraw your consent, Majestic will stop that particular processing, when the processing is based on such consent. However, if you withdraw your consent, Majestic’s use of your personal data before you withdraw remains lawful.
• Right to lodge a complaint with a supervisory authority – you have the right to file a complaint concerning Majestic’s processing of your personal data in the same manner as stated below in Section 10 of this Privacy Policy. All queries and complaints shall be handled in a timely manner by Majestic in accordance with internal procedures.

In case you consider that Majestic’s processing of your personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation, you may also lodge a complaint with a supervisory authority – the State Data Protection Inspectorate.

Implementation of your rights

Majestic will exercise the above-mentioned rights only after Majestic receives your written request to exercise a particular right indicated in the Section 9 above and only after confirming the validity of your identity. Such written request shall be submitted to Majestic by personally appearing at Majestic’s registered office address, by ordinary mail or by e-mail: dpo@majestic.eu.

Your requests shall be fulfilled or fulfilment of your requests shall be refused by specifying the reasons for such refusal within 30 (thirty) calendar days from the date of submission of the request meeting Majestic’s internal rules and GDPR. The afore-mentioned time frame may be extended for 60 (sixty) calendar days by giving a prior notice to you, if the request is related to a great scope of personal data or other simultaneously examined requests. A response to you will be provided in a form of your choosing as the requester.

Retention of your personal data

The length of time Majestic retains your personal data is determined by a number of factors including the purpose for which Majestic uses that information and Majestic’s obligations under other laws. It means that Majestic will keep your personal data for as long as it is needed for the purposes for which your data was collected and processed but no longer than it is required by the applicable laws and regulations.

Majestic will store your personal data for as long as it is necessary for providing services and as required by retention requirements in laws and regulations. If the legislation of the Republic of Lithuania does not provide any period of retention of personal data, this period shall be determined by Majestic, taking into account the legitimate purpose of the data retention, the legal basis and the principles of lawful processing of personal data.

The terms of data retention of the personal data for the purposes of the processing of the personal data as defined in this Privacy Policy are following:

• Majestic retains your personal data as long as your consent remains in force, if there are no other legal requirements which shall be fulfilled concerning personal data’s processing;
• in case of the conclusion and execution of contracts – Majestic retains your personal data until the contract concluded between you and Majestic remains in force and up to 10 years after the contractual relationship between you and Majestic has ended;
• your personal data which has been collected in order to fulfil the obligations under the Law on Money Laundering and Terrorist Financing Prevention in a proper way shall be stored in accordance with the provisions of Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania, mainly – up to 8 (eight) years. The afore-mentioned period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority;
• your personal data which has been submitted by you through Majestic’s website is kept for a period which is necessary for the fulfilment of your request and to maintain further cooperation, but no longer than 6 months after the last day of the communication, in case there are no legal requirements to keep them longer.

In the situations when the terms of data keeping are stated in the legislative regulations, the legislative regulations shall be applied.

Please also be informed that under some circumstances, your personal data might be stored longer, mainly:

• in case it is necessary in order for Majestic to defend ourselves against claims, demands or action and in order to exercise Majestic’s rights in a proper way;
• in case there is a reasonable suspicion of an unlawful act that is being investigated;
• in case your personal data is necessary for the proper resolution of a dispute/ complaint;
• under other statutory grounds.

Data Security

Majestic utilizes physical, electronic, organizational and procedural security measures to protect against loss, misuse, and alteration of information under our data management. Majestic offers industry–standard practices and security measures to safeguard and secure the personal information we collect.

When you use our services, we encrypt all and every transmission of information using Secure Socket Layer technology (SSL). We follow generally accepted standards, and we usually go beyond the standards to protect the personal information submitted to us, both during transmission and one we receive it. We never collect or store your authentication keys and passwords in an unencrypted or invertible form. Our employees are bound by internal information security policies and are required to keep information secure. If you have any questions about security on our site, you can contact us at support@majestic.eu .

Contact with Majestic/DPO

The website of Majestic contains information that enables a quick electronic contact to Majestic, as well as direct communication with us, which also includes a general address of the so-called electronic mail (e-mail address). If you contact Majestic by e-mail or via a contact form, the personal data transmitted by you are automatically stored. Such personal data transmitted on a voluntary basis by you to Majestic are stored for the purpose of contacting you. There is no transfer of this personal data to third parties.

You are entitled to enquire adjustment or deletion of your stored personal data. Furthermore, if you have questions about this Policy or want to know further information or explanation about the data we store about you, please contact us by email at support@majestic.eu , or write to us at:

Majestic Financial UAB
Mėsinių str. 5
01133 Vilnius
Lithuania

You can also contact Majestic’s Data Protection Officer by sending an e-mail to the address: dpo@majestic.eu.

Changes to this Policy

As every high-quality service, Majestic constantly improves its services in effort to keep our clients satisfied. But these improvements necessarily mean changes. Due to the on-going changes in the law and technology, data practices will change from time to time. Thus, Majestic reserves the right to alter or modify this Privacy Policy when it is necessary at any time in accordance with applicable laws and regulations. Your privacy will not be reduced without your consent. If you are concerned about how your information is collected, stored, used or disclosed, you should periodically check back at this page.

Any changes and clarifications will take effect immediately on the date on which Majestic posts the modified terms on its website: https://www.majestic.eu/.