This Policy describes which personal data we collect and for what purposes we process it as a credit bureau and when you use our website https://scorify.ai/ (hereinafter - the Website). This Policy also provides important information about the protection of your personal data, your rights and how to exercise them. Therefore, be sure to take the time to review this Policy, and if you have any questions, please do not hesitate to contact us at the contacts provided. Please note that we reserve the right to change this Policy in the future, and we encourage you to read this Policy periodically.
What is personal data and how is it processed?
Personal data is any information that relates directly or indirectly to you when your identity is known or can be directly or indirectly identified through relevant data (such as name, e - mail address, personal identification number, etc.).
Processing of personal data means any operation with personal data (including the collection, recording, storage, editing, modification, granting of access, submission of requests, transmission, archiving, etc.).
When processing your personal data, the company follows the following principles of personal data processing:
- Your personal data will only be processed to the extent necessary to achieve the relevant clearly defined and legitimate purposes, considering the protection of your privacy.
- Your personal data is processed accurately, fairly, and lawfully and is processed only for purposes that correspond to the purposes stated before the collection of your personal data.
- Your personal data is processed in strict compliance with the clear and transparent requirements for the processing of personal data set out in the legislation.
- Your personal data will only be processed in such a form that your identity can be disclosed for no longer than is necessary for the purposes for which the personal data are processed.
- The processing of your personal data is subject to appropriate technical and organizational measures to ensure the security of your personal data, including protection against unauthorized processing and unintentional loss, destruction, and damage.
For what purposes do we process your personal data?
In accordance with the requirements of legal acts regulating the protection of personal data, the Company, as a credit bureau, processes data for the purposes of creditworthiness assessment and debt management. In this case, the Company is the controller of the relevant personal data.
The company collects and manages credit history, e.g. financial liabilities of individuals and the history of various payments, as well as information on inquiries. When processing information about legal entities, the data of the participants of the management bodies of legal entities are processed.
Depending on the purposes and nature of the processed data, the data is processed either with the consent of the data subject (the Company's client) or by concluding and executing a contract (with the controller's client) or on basis of legitimate interest of the Company or third parties to whom the data provided.
Credit history data are processed for the purpose of a legitimate interest in the processing of personal data for the purposes of credit assessment and debt management, credit rating. The assessment of the legitimate interest (test) has shown that the legitimate interest of the creditor / potential creditor outweighs the interests of the defaulting data subject and that the relevant data processing operations can be based on a legitimate interest.
It is important to note that in certain cases the Company acts as a data processor, i. y. when information on financial liabilities (credits taken) and personal data from state registers or information systems are received. In this case, personal data is stored for 3 years as standard, unless other terms of personal data storage are specified in the agreements with data controllers.
Processing of personal data for the purpose of creditworthiness assessment and debt management of legal and natural persons (provision of data to third parties with a legitimate interest so that they can assess a person's creditworthiness and manage debt).
Personal data processed: name, surname, personal identification code, e-mail address, place of residence (address), telephone number, date of incurrence of debt, amount of debt, creditor (name of legal entity, identification code), source of information on debt claim, date of debt payment , type of debt.
Condition for lawful processing: the processing is necessary in the legitimate interests of the controller or of a third party (Article 6 (1) (f) of the Regulation).
Retention period: data on the entity's timely and proper fulfillment of obligations are stored for a maximum of 10 years from the date of repayment of the debt.
Recipients: legal entities with a legitimate interest in solvency assessment and debt management, which assess personal solvency and manage indebtedness, including companies providing one type of loan or another, as well as deferred payment services (the largest group of which are banks and other financial institutions), hired data processors, such as IT service providers, providing IT maintenance and support services.
Processing of personal data for the purpose of personal solvency and financial risk assessment and debt management (joint financial risk data file) (In this case, the Company acts as a data processor):
Personal data processed: name, surname, personal identification code, identity document data, place of residence (address), education, position, marital status, telephone number, income, their specification and sources; data on financial and property liabilities: number of contracts, dates, types; the amount of property liabilities; financial liabilities, credit limit, account overdraft, used credits, interest, total financial liabilities, amounts payable; deadlines for fulfillment of obligations, deadlines for violations, number of violations; amounts and number of delayed payments; types of applications; application amounts; data subjects in joint debtors' files; personal rating.
Condition of lawful processing: processing of data is necessary for the legitimate interests of the Company's customers (data controllers) (Article 6 (1) (f) of the Regulation).
Retention period: data is retained for 10 years from the date of fulfillment of obligations; if a decision is made to refuse to provide a financial service - 3 years.
Data recipients: company customers (data controllers), financial institutions, banks, telecommunications companies, and other entities (data controllers), hired data processors, such as IT service providers, to provide IT maintenance and support services.
Data source: UAB Creditinfo Lietuva, which receives data from official state registers and information systems (Legal Entities, Mortgages, Seizures of Property, Real Estate, National Courts Administration, etc.); judicial information: information on civil debt cases in which a natural person is involved as a defendant / debtor; bailiffs' information on public bailiff's calls for debts issued to a natural person.
Please note that the Company calculates credit ratings on behalf of its customers (data controllers). A credit rating is an assessment of a person's creditworthiness. The rating indicates the predicted probability that a person may be delayed in meeting their payment obligations by 90 days or more. When assessing a person's creditworthiness, such external factors are considered, which signal the person's skills and opportunities to plan, assume and fulfill their obligations. The quality and sustainability of long-term individual skills and opportunities are assessed. It also means that the assessment cannot "recover" in a noticeably short period of time.
Rating is an assessment of a person's characteristics in an automatic way (profiling), which may affect your ability to conclude transactions in the future. Valuation automatically helps to lend responsibly, evaluating information provided by an individual, credit history, public information, and more. Automatic evaluation methods shall be reviewed regularly to ensure their fairness, efficiency, and impartiality.
Processing of personal data for the purpose of inquiry administration
Personal data is processed: name, telephone, e-mail. email address, content of the request.
Lawful processing condition:
- consent, which is expressed by sending inquiries to the Company through the contacts indicated on the Website or by using the opportunity to submit an inquiry on the Website (Article 6 (1) (a) of the Regulation);
- the legal obligation to examine the claim for allegedly infringed rights and / or legitimate interests and to provide a response applies (Article 6 (1) (c) of the Regulation).
Retention period: submitted inquiries are processed throughout the inquiry period and are retained for 6 months from the date of its examination. Personal data may be stored for a longer period if the request is not processed or is still being processed during that time, as well as if personal data migth be necessary to protect the legitimate interests of the Company or third parties, such as statute of limitations or legal disputes. If the complaint has been resolved by signing the settlement agreement, your personal data will be stored for 10 years.
In order to assess the circumstances of the submitted complaint or other inquiry and to make sure that they are justified, your personal data may be transferred to persons providing legal services (lawyers, bailiffs, consultants, etc.);
Hired data processors, such as IT service providers, to provide IT maintenance and support services;
These personal data may also be transferred to the competent authorities and / or law enforcement authorities (e.g. courts, police, or other supervisory authorities). However, your personal data will be provided only if it is necessary in accordance with the applicable legal acts and only in accordance with the procedure provided by legal acts, in order to ensure the Company's rights, security of the Company's customers, employees and resources
We note that your personal data is provided only to those third parties who ensure proper conditions for the processing and protection of personal data. Your personal data is not transferred to third countries (i.e. outside the European Union or the European Economic Area) or to international organizations.
What rights do you have and how can you exercise them?
Data subjects whose personal data we process have the right to:
request, access and obtain a copy of your personal data;
request the correction or restriction of inaccurate or incomplete personal data;
request the deletion or restriction of redundant or unlawfully processed personal data, withdraw consent or there are other sufficient grounds for doing so;
not to consent to the processing of his or her personal data when the personal data are processed in accordance with consent or on the basis of legitimate interest;
to request the transfer of your personal data submitted in a systematized, computer-readable format when personal data is processed in accordance with consent or a contract (right to data portability);
the right to withdraw his consent at any time when the processing is based on the data subject's consent (pursuant to Article 6 (1) (a)). Withdrawal of the data subject's consent shall not affect the lawfulness of the processing prior to the withdrawal of the consent;
to submit a complaint to the State Data Protection Inspectorate (firstname.lastname@example.org).
We do not use profiling-based automated decision-making processes to process your personal data, which may have legal consequences or have a similarly significant impact on you. Nevertheless, you have the right to request human intervention to express your opinion or object to such an assignment - in which case your rating may be recalculated manually.
The data subject may exercise his / her rights by submitting a written request to the Company in person (to employee of the Company), by post, through a representative or by electronic means - e-mail. E-mail: email@example.com, in writing - to the address: Olimpiečių st. 1A-24, LT-09235 Vilnius.
Upon placing request, the data subject must prove his / her identity in one of the following ways:
by submitting a request to an employee of the Company, together with a valid identity document;
by submitting a request by post or courier, together with a copy of a valid identity document certified in accordance with the procedure established by legal acts;
by submitting the application electronically, confirming it by electronic means of communication that allow proper identification of the person (e.g. mobile signature, qualified electronic signature, etc.).
Upon your request for the exercise of data subjects' rights, we will provide you with an answer immediately, but no later than within 1 month from the date of the request. This period may be extended by one month, if necessary, depending on the complexity and number of applications. You will be additionally notified of such an extension within one month. The information you request will be provided free of charge. However, if we see that your requests are manifestly unfounded or disproportionate, in particular due to their repetitive content, we reserve the right to charge a reasonable fee (i.e. to cover administrative costs) or to refuse to act on such request from the data subject.
The answer will be provided in the manner chosen in your request. If you do not specify in the request the way in which you wish to receive a reply, the reply will be sent to you in the same way as the request.
If the Company acts as a data controller, you should contact the data controller to whom you provided your data and / or services for the exercise of your rights. The company makes every effort to help enforce the data subject's rights and provide information to the customer (data controller).
How do we take care of the security of your personal data?
When processing your personal data, we apply appropriate organizational and technical security measures to protect your personal data from accidental or unlawful disclosure, destruction, alteration, or other unlawful acts. The above measures are chosen considering the risks to your rights and freedoms as a data subject.
In this case, we ensure strict access control to the processed personal data, therefore we grant access to them only to those employees who need your personal data to perform work functions and monitor the use of the provided access. Access to personal data is ensured by using the appropriate level of passwords and concluding confidentiality agreements with the persons who access your personal data.
We note that all employees of the Company who have access to your personal data are acquainted with the requirements of personal data protection and must ensure the confidentiality of the processed personal data.
Where to address in case of questions?
Cookies used by the website: