Privacy Policy

1. Introduction

This Privacy Policy (“Policy”) aims to describe how Bison Bank, S.A. and Bison Digital Assets, S.A. (each an “Entity” and jointly the “Group” or “Entities”) processes personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or “GDPR”), Law 58/2019 of 8 August 2019, which ensures the execution of the GDPR, and all the other legislation on personal data protection.

Personal data subject to processing refers to the personal data of the Group’s clients (including representatives and beneficial owners, if applicable) and of the users of the websites or mobile applications of the Group (“Clients”).

2. Data Controller

The data controller are the entities that provides service or product, both with registered office at Rua Barata Salgueiro, 33, Piso 0, 1250-042 Lisboa, Portugal.

3. Personal Data

Personal data includes all the information relating to a natural person who is identified or identifiable, directly, or indirectly, such as, among others, name, civil or tax identification number, location data, or other specific elements of this person’s physical, physiological, genetic, psychological, economic, cultural or social identity.

In its provision of services and offer of products, the Group processes or may process various categories of personal data, including, but not limited to:

Identification data and contacts (e.g. name, numbers and expiration dates of civil identification documents, tax);
Contact details (e.g. address, phone number, email address);
Biographical data (e.g. date of birth, gender, nationality, place of birth, marital status, information on the household, academic qualifications, or data on the profession (name of employer, type of contract, remuneration);
Contractual data (e.g. account number, IBAN);
Transaction Data (e.g. date, time, description and value of banking operations and/or virtual assets services, as example, deposits, withdrawals, transfers, payments);
Credit and solvency data (e.g. bank account details, value of your assets, tax details);
Biometric data (e.g. fingerprint);
Voice and image recording data (e.g. phone call, video call and photo recordings);
Data regarding the use of websites and applications (e.g. pages visited or information about the equipment used – IP address, geographic location, browser used).

4. Collection Means

The Group collects the personal data of its Clients through the following means:

Data provided directly by the Clients (e.g. data or content provided directly by the holders (i) in the process of underwriting or acquiring products and services, (ii) e-mail messages, (iii) participation in the Group’s promotional actions, or (iv) in response to satisfaction surveys or surveys of the Entities);
Data collected in the context of the provision of services and offer of products (e.g. data relating to transactions and bank transactions and/or virtual assets transactions carried out by the holders with the Entities, as example, deposits, transfers, payments);
Profiling (e.g. data produced by the Entities through the application of analytical models to the data of the holders and the data relating to the use of the Entities products and services by the holders);
Cookies (e.g. data relating to the use of the Entities websites and applications, as example, pages visited; user preferences, obtained through cookies from of the sites Entities or third parties);
Data obtained from third-party entities (e.g. data obtained by the Group from third parties with which it works, including (i) Bank of Portugal, (ii) public authorities, (iii) agents working on behalf of the Group, or (iv) Group’s partners);

In the context of commercial and contractual relationships, the Group has the obligation to collect the personal data of Clients, potential Clients and other holders (e.g., representatives, beneficial owners) necessary to comply with pre-contractual and contractual, or even regulatory, obligations and steps.

5. Purposes for Processing Data

Data processing is defined as an operation or set of operations performed on personal data, performed by manual or automated means, including collection, storage, use, copying and transfer.

The personal data of the Group’s Customers is used in a lawful and transparent manner and for specific purposes, with reference to the respective legal bases:

Execution of a contract or pre-contractual due deligence

Onboarding of customers and their management (e.g. collection and registration of data from holders or representatives, opening of current accounts, changing holders and their data, or issuing bank/service statements);
Management of operations and banking services (e.g. processing of direct debits, national and international transfers, collection of product and/or service commissions, or execution of Client orders, as example, purchase and sale of securities and/or virtual assets);
Management of financial products (e.g. management of financial products Subscription, production, simulation, creation and management of savings and investment products, or provision of information on products and services purchased or subscribed by the Client);
Support and management of services related to electronic channels (e.g. adherence to electronic channels, as example, Internet banking, mobile banking, management of access credentials, personalization of channels, or activation and deactivation of related services);
Complaint management (e.g. reception, analysis, and response to requests for information and customer complaints);

Compliance with legal obligations

Administrative management (e.g. collection, classification, and storage of physical documents with personal data in the archive file, which constitute mandatory evidence in the context of the Group’s activity);
Anti money laundering and terrorist financing (e.g. verification of lists of persons and entities subject to financial or commercial sanctions, or identification and reporting of suspicious transactions);
Mandatory reporting to regulatory entities (e.g. provision of mandatory information (prudential and others) and at various requests from sectoral regulators, as example Bank of Portugal, European Central Bank, CMVM), public authorities such as Courts, Police, Tax authorities, external auditors and international entities);
Fraud prevention (e.g. fraud prevention Detection, analysis, and response to potential fraud events, in particular those related to remote operations, as example, Internet Banking);
Risk management (e.g. risk analysis, or verification of a Client’s identity and age, knowledge and experience, risk profile, and investment objectives);
Video surveillance (e.g. video surveillance of the Group’s physical facilities to collect evidence in the event of any mishap, namely burglary invasion or fraud);

Legitimate interest

Administrative management (e.g. collection, classification, and storage of physical documents with personal data in the documentary file, which constitute mandatory evidence in the context of the Entities activity);
Exercise of internal audit functions (e.g. collection and analysis of data in the context of the internal audit of the Entities processes and operations);
Event management (e.g. event management Collection and processing of data in the context of events held by the Group);
Provision of information (e.g. sending various informational material, as example, information security trends in financial markets and/or virtual assets markets, or in the context of the acquisition or subscription of products or services by Customers);
Marketing (e.g. marketing Provision of information or campaigns on products or services similar to those traded by the Entities, via telephone, SMS or email, to encourage the use or promote the acquisition or subscription of financial products and services for Customers);
Customer profiling and segmentation (e.g. customer characterization and segmentation, to better direct and adapt the Group’s commercial offer of products and services to the specific characteristics of Customers and define their profile of use of products and services and assess their propensity for them);
Management and security of information systems and facilities (e.g. management and monitoring processes of information systems and technological infrastructures, recording of access events and use of the systems, processes of detection, analysis and response to potential information security incidents, control of identities and access to the Entities information systems, or control of physical access to the premises);

Consent of the data subject

Marketing (e.g. provision of information or campaigns on products or services traded by the Entities or by partner entities, via telephone, SMS or email, to encourage the use or promote the acquisition or subscription of financial products and services for Customers);
Evidence of instructions and information transmitted by telephone (e.g. recording of calls/video calls as a means of proving information or instructions transmitted in the context of a pre-contractual relationship, as example, proof of identity of the holder or instructions transmitted in the context of a contractual relationship, as example, stock exchange orders);
Customization of the user experience on the website and mobile App (e.g. use of persistent cookies to record the activity and preferences of Customers on the Entities websites and applications);

6. Cookies

i) What are cookies?

Cookies are small text files with relevant information that are downloaded onto the user’s access device (computer, mobile phone/smartphone, or tablet) through the browser when a website is visited by the user.

The use of cookies not only enables the website to recognize the user’s device the next time he/she visits it, but also improves the operation and experience of this website.

The cookies used by the Entities on their websites do not collect personal information that could identify the user. They only process and keep general information, namely the form or place of origin of the users’ access and the way that they use Group’s websites, among other aspects.

The cookies only keep demographic data and information related to the users’ preferences.

The users may, at any time, through their browser, decide to be notified of the reception of cookies, and may block their entry into their system. However, it should be highlighted that rejection of the use of cookies on the Group’s websites could result in precluding access to some of their areas and not permitting the entire browsing experience on Group’s websites.

ii) What are cookies used for?

Cookies are used to help determine the usefulness, interest and number of uses of websites, enabling faster and more efficient browsing, and eliminating the need to repeatedly enter the same information.

iii) What type of cookies do we use?

Each cookie used has a function and an expiry date. Regarding function, the cookies used may be:

Essential cookies – Some cookies are essential to access specific areas of the Entities’ websites. These enable browsing website and using their applications, such as access to secure areas of Group’s websites through login. Without these cookies, the services requiring them cannot be made available.

Functional cookies – These cookies enable remembering the user’s preferences relative to browsing on Group’s website. Accordingly, the users do not need to reset and personalize it each time they visit it.

Name	Type	Purpose	Duration
_icl_visitor_lang_js	Functional cookies	Record the last language used for the next time the user returns to the Entities websites.	1 Month

Analytical cookies – These cookies are used to analyze the way that the Entities websites are used, enabling the highlighting of articles or services that could be of interest to the users, the monitoring of the websites performance, and knowledge of which are the most popular pages, what is the most effective method of links between pages or to determine the reason why some pages are receiving error messages. These cookies are used for purposes of creation and statistical analysis only, and never collect information of personal nature. This means that the Group can provide a high-quality experience by personalizing its offer and rapidly identify and correct any problems that may arise.

Name	Type	Purpose	Duration
_ga	Analytical cookies	Record a single ID that is used as statistical data of the Client’s visit.	2 Years
_gid	Analytical cookies	Record a single ID that is used as statistical data of the Client’s visit.	Session

Regarding expiry date, the cookies used may be:

Permanent cookies – These are stored on the user’s access devices (computer, mobile phone/smartphone, or tablet), at browser level, and are used whenever the user returns to the Entities websites. They are used to direct the browsing according to the user’s interests, enabling the Group to provide a more personalized service.

Session cookies – These are temporary cookies available until the session is closed. Next time the users access their browser, these cookies will no longer be stored. The information obtained by these cookies enables managing the sessions, identifying problems and providing a better browsing experience.

iv) Blocking the use of cookies

All browsers enable the user to accept, refuse or delete cookies. This can be done by selecting the appropriate definitions in the browser. Users are thus allowed to partially or completely deactivate the cookies used on Entities’ websites at any given time. For further information, see the instructions and manuals of the actual browser.

Nevertheless, the Entities inform that by deactivating the cookies on their websites they might not function properly.

Further information on cookies in www.allaboutcookies.org

7. Storage Period

The personal data collected are processed in strict compliance with the applicable legislation and stored in specific databases.

The Group processes and stores personal data in accordance with the respective purposes and observing the applicable legal time limits.

Whenever there is no specific legal requirement, the data will be stored and kept only for the appropriate time and to the extent necessary to pursue the purposes for which they were collected, unless the rights of objection, erasure or withdrawal of consent are exercised within the legal limits.

When the personal data are necessary for the Entities to prove compliance with contractual obligations or requirements of other nature, they can be kept for as long as the corresponding rights are valid.

To this end, and taking into account the specific rules in force as to certain legal obligations of keeping and reporting information, the different time limits for the storage of personal data according to the categories in which their processing falls are:

Financial activity & ML/CTF

7 years after the end of the business relations.

Commercial bookkeeping

10 years.

Taxation

10 years.

Marketing

5 years.

2 years.

Video surveillance

30 days.

8. Rights of the Data Subject

The holder of personal data, under the terms of applicable law, has the following rights:

The right of access to data concerning the holder
The right to its rectification
The right to request its portability
The right to object to treatment in cases where the law allows it
The right to limitation of treatment
The right to its erasure
The right to withdraw consent
The right not to be subject to exclusively automated individual decisions
The right to lodge complaints with the supervisory authority

These rights may be exercised with reasonable frequency and without undue delay or cost.

The data subject may exercise any of the aforesaid rights under the terms of paragraph 12 below.

The data subject also has the right to submit complaints related to the Group’s breach of the provisions regarding personal data protection to the Portuguese Data Protection Authority (“CNPD”) or other competent supervisory authorities.

9. Security Measures

In order to ensure the protection of personal data, the Group has taken various security, technical and organizational measures aimed at protecting the personal data against their destruction, loss, modification, disclosure, unauthorized access or any other form of unlawful treatment.

If any Entity outsources to other entities the provision of services that involve the assignment of personal data (e.g. providers of services related to IT, archives, support to back-office activity, consulting, private security, etc.), these entities shall be mandatorily required to take the necessary technical and organizational measures to protect the personal data against their destruction, loss, modification, disclosure, unauthorized access or any other form of unlawful treatment.

10. Disclosure to Third Parties

When necessary or appropriate (i) considering the applicable law; (ii) for compliance with legal obligations/court orders; (iii) to respond to requests of public or governmental authorities; or (iv) when the data subject has given consent, the Group may disclose the Clients’ personal data to the following third-party entities:

Group companies (companies controlled or participated in by Bison Bank, S.A.) or partner companies (namely in the context of the dissemination of consultancy services and similar financial services);
Legal and judicial entities or public authorities (namely supervisory authorities);
Entities managing credit risk registers, credit analysis and fraud prevention agencies, entities providing solvency services (namely credit acquisition entities), credit collection entities;
Outsourced entities and suppliers (namely, entities providing payment services, banking or financial services, postal services, IT services, archive services).

If any of the entities are established in third countries that do not assure an adequate level of personal data protection, the Group undertakes to ensure that these entities implement the necessary technical and organizational measures to protect the personal data under the terms stipulated in paragraph 9 above.

11. Data Transfer

The Group shall transfer data to third countries that do not belong to the European Union or to the European Economic Area only in the cases permitted by law. Transfers of data to entities outside the European Union may occur, namely, when this is necessary for (i) the execution of a contract between the Client and the Group; (ii) procedures prior to the formation of the contract decided at the Client’s request; (iii) the conclusion or execution of a contract concluded in the Client’s interest; or (iv) by explicit authorization of the Client.

12. Contacts

In the event of any doubt or question related to this Policy or to the exercise of your rights of the data holder, please contact the Entities, through notification of the Data Protection Officer (“DPO”), by email to epd@bisonbank.com or by letter addressed to the Entities for the attention of the DPO and sent to the Group headquarters.

13. Changes to the Policy

The Group reserves the right to change this Policy at any time.