BRANKAS PRIVACY NOTICE AND CONSENT FORM
Last Updated August 16, 2022
With this policy, we present transparently that we gather, store and handle personal data fairly and in accordance with the law. As part of our drive to serve you better, we need to obtain and process your information. This includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data, etc.
Brankas collects or processes this information only with the full knowledge, cooperation, and consent of interested parties. Once this information is available to us, the following rules apply.
Your data will be kept up-to-date, collected, or processed fairly and for lawful purposes only. The information you give us will be processed within legal boundaries and will be protected against any unauthorized or illegal access by internal or external parties. You are free to exercise your rights under the law as a Data Subject and we fully respect the same.
Your data will not be distributed to any party other than the ones you have consented to and agreed to (exempting those compellable to be disclosed by law and legitimate requests from courts of competent jurisdiction and law enforcement authorities). Without your express consent as the Data Subject, your data will not be communicated or transferred, informally or in any manner, to any other person, entity, organization, or country.
In addition to our methods of handling the data, Brankas has direct obligations toward Data Subjects to whom the data belongs. We allow Data Subjects to modify, erase, reduce, or correct data contained in our databases in line with their rights under the applicable privacy law in which they are located. We maintain provisions in our systems in cases of lost or corrupted data.
For your protection, Brankas is committed to restricting and monitoring access to sensitive data. Our officers and employees will be trained in online privacy and data security and will establish data protection practices (secure locks, data encryption, access authorization, etc.). In addition, security measures will be built through a secure network to protect data from cyber-attacks.
Thank you for using Brankas!
CHAPTER I - DEFINITIONS
Data Subject refers to an individual (e.g. the end-user of the Brankas service) whose Personal Data is collected or processed;
Personal Data refers to any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing refers to any operation performed upon Personal Data including, but not limited to, collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking erasure, or destruction of data. Processing may be performed through automated means or manual processing.
Specific Personal Data refers to Personal Data:
- personal finances, including but not limited to bank deposit data including savings, deposits, and credit cards.
- about a person’s race, ethnic origin, marital status, age, color, religious affiliation, philosophy, or politics;
- about a person’s health, education, genetic or sexual life, or any legal process for any offense committed or alleged to have been committed by that person, the completion of such legal process, or the punishment of any court authorized in respect of such proceedings;
- issued by government agencies specifically for individuals that include, but are not limited to, social security numbers, residence identities, previous or current health records, their permits or refusals, their suspension or revocation, and tax returns (tax returns); and
- specifically stipulated by executive orders or legislation to be kept confidential.
CHAPTER II - PERSONAL DATA COLLECTED, USED, AND SHARED
Information Brankas Collects - Brankas collects your (or “you”) Personal Data, which, where applicable, may include credentials such as user name and password or security token. In some cases, we also collect your phone number, email address, and one-time password (OTP) to help verify your identity before providing our services to you. When providing this information, you give Brankas permission to act on your behalf to access, use, disclose and share your Personal Data from relevant banks or other entities (i.e., providers of financial products and services) to provide our services for your use. Further, with your consent and at the request of your financial services provider, Brankas may store your credentials such as username, password, OTP, and token number which are generated digitally or through hard tokens. The data will be stored on the servers of the Company or a third-party provider. If we will use your data beyond this state purpose, Brankas will ask for your consent anew. We uphold the confidentiality and privacy of your data. You can also provide us with other information, including your name, email address, and phone number.
The specific information we collect from your bank or financial product and service providers depends on the service you availed from us. Overall, this includes:
- Account information, including financial institution name, account name, account type, and account ownership;
- Information about an account balance, including current and available balance;
- Information about account transactions, including amount, date, payee, type, quantity, price, location, involved securities, and a description of the transaction;
- Information about credit accounts, including due dates, balances owed, payment amounts and dates, transaction history, credit limit, repayment status, and interest rate;
- Information about loan accounts, including due dates, repayment status, balances, payment amounts and dates, interest rate, guarantor, loan type, payment plan, and terms; and
- Information about the account owner(s), including name, email address, and phone number.
Upon using our services, if you have given consent to process your Personal Data, and later on you change your mind, you may withdraw your consent by contacting us via firstname.lastname@example.org.
Basis for Processing Your Personal Data - Our legal basis for processing your Personal Data will depend on the information concerned and the context in which we collected or processed it. Generally, however, we will normally only collect and process Personal Data where:
- fulfillment of our responsibilities and obligations in any contract or agreement with you (for example, to comply with our services agreements);
- to comply with our legal obligations under applicable law;
- processing is necessary for our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (for example, to safeguard our services; to communicate with you, or to update our services); or
- you have given your consent to do so.
To the extent we rely on consent to collect and process Personal Data, you have the right to withdraw your consent at any time per the instructions provided in this Policy.
How Brankas Uses Your Personal Data – With your consent, we use your Personal Data for a number of business and commercial purposes, including to operate, improve, and protect the services we provide, and to develop new services. More specifically, we use your Personal Data:
- To provide, operate, and maintain our services, which you intend to avail of;
- To improve, modify, add to, and further develop our services;
- To develop new services;
- To protect you, our partners, us, and others from fraud, malicious activity, and other privacy and security-related concerns;
- To provide customer support to you, including helping respond to your inquiries related to our service;
- To investigate any misuse of our service, criminal activity, or other unauthorized access to our services;
- To notify you about our latest service that may be tailored to your need; and
- For any other purpose notified subject to your explicit consent and taking into account the objectives, needs, and balance of the interests of Brankas and the rights of the Data Subject.
How Brankas Shares Your Personal Data – With your specific consent and only in specific instances, we share your Personal Data for a number of business purposes:
- To enforce any contract with you;
- With our data processors and other service providers, merchants, partners, or contractors in connection with the services they perform for us and subject to any data outsourcing agreement they have with us;
- If, in good faith, disclosure is appropriate to comply with applicable law or legal process;
- In connection with a change in ownership or control of all or a part of our business (e.g. merger, reorganization, bankruptcy, etc.);
- Between and among Brankas affiliated entities such as parents, affiliates, subsidiaries, and other companies under common control or ownership, subject to any data-sharing agreement among such entities;
- To reasonably protect the rights, privacy, safety, or property of Data Subjects such as yourself, us, our partners, and others; or
- For any other notified purpose subject to your consent.
Transfer of Personal Data outside the jurisdiction of the Philippines, Indonesia, Singapore, and Thailand – Brankas operates in Southeast Asia and may transfer Personal Data to other personal data controllers outside the jurisdiction of the Philippines, Indonesia, Singapore, Thailand, and Vietnam which may have data protection rules different from those of your residence or place of domicile. We will take appropriate measures to ensure that:
- the country in which the controller of such other personal data or international organization receives the transfer of Personal Data has a level of protection of Personal Data equal to or higher than stipulated in the prevailing laws and regulations;
- there are international agreements between countries;
- there is a contract between personal data controllers that have standards and/or guarantees of protection of personal data following the applicable laws and regulations; and/or
- data subject’s consent is obtained for this purpose.
Retention Period of Personal Data – For the processing of such Personal Data, we will only retain Personal Data for 3 years under our Retention Policy. When such retention period ends or at the request of the Data Subject, the Personal Data we have processed will be deleted or destroyed, or removed from the list, with the exception of other decisive laws and regulations.
Other - We may collect, use and share your Personal Data aggregated or anonymously (without personally identifying you) for any purpose permitted by law, including creating or using data collected or anonymized based on Personal Data collected to develop new services and to facilitate research subject to your explicit consent. We do not sell or lease out Personal Data or any information we collect.
CHAPTER III - ORGANIZATIONAL SECURITY OBLIGATIONS AND MEASURES
Data Privacy Principles - All Processing of Personal Data within Brankas will be conducted in compliance with the following data privacy principles:
- collection of Personal Data is limited and specific, legally valid, appropriate, and transparent;
- the processing of Personal Data is carried out in accordance with its purposes;
- the processing of Personal Data is carried out by guaranteeing the rights of the owner of the Personal Data;
- the processing of Personal Data is accurate, complete, not misleading, current, and accountable;
- the processing of Personal Data is done by protecting the security of Personal Data from unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or loss of Personal Data;
- the processing of Personal Data is carried out by notifying the purposes and activities of the processing, as well as the failure to protect personal data;
- Personal Data is destroyed and/or deleted after the retention period ends or at the request of the owner of the Personal Data unless otherwise provided by the legislation; and
- the processing of Personal Data is carried out responsibly by fulfilling the implementation of the principles of protection of Personal Data and can be clearly proven.
Data Processing Records – We will maintain adequate and up-to-date records of Personal Data Processing activities at all times. These records shall include, at the minimum:
- Information about the purpose of the Processing of Personal Data, including any intended future Processing or data sharing;
- A description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the Processing;
- General information about the data flow within Brankas, from time of collection and retention, including the time limits for disposal or erasure of Personal Data;
- A general description of the organizational, physical, and technical security measures in place within Brankas; and
- The name and contact details of any staff accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
Brankas will annually conduct a privacy impact assessment relative to all activities, projects, and systems involving the Processing of Personal Data. We will review security policies, conduct vulnerability assessments, and perform penetration testing, as applicable, within Brankas on a regular schedule to be prescribed by our IT Team.
Personal Data Management – We will develop and implement measures to ensure that all Brankas staff who have access to Personal Data will strictly process such data in compliance with applicable laws and regulations. These measures may include drafting new or updated relevant policies of Brankas and conducting or sponsoring training programs to educate our stockholders, directors, officers, employees, agents, and other interested parties on data privacy-related concerns.
We will obtain your informed consent, evidenced by written, electronic, or recorded means, concerning:
- The Processing of your Personal Data, for purposes of maintaining Brankas' records;
- The sharing of your Personal Data with a third party, if necessary, is subject to the requirement that you will be provided with the following information before your Personal Data is shared:
- Identity of the third party that will be given access to the Personal Data;
- Purpose of the data sharing;
- Categories of Personal Data concerned;
- Intended recipients or categories of recipients of the Personal Data;
- Existence of your rights as Data Subject, including the right to access and correction, and the right to object; and
- Other information that would sufficiently notify you of the nature and extent of data sharing and the manner of Processing.
A continuing obligation of confidentiality is imposed on our stockholders, directors, officers, employees, agents, or other interested parties in connection with the Personal Data that they may encounter during the period of which they are such with Brankas. This obligation will still apply after they cease to work with Brankas for whatever reason.
Data Collection Procedures – We will document our Personal Data Processing procedures. We ensure that these procedures are updated and that your consent is properly obtained when required by law and evidenced by written, electronic, or recorded means. These procedures will also be regularly monitored, modified, and updated to ensure that your rights as a Data Subject are respected and that we process your Personal Data according to law.
Delays and Restrictions on Data Processing – We will delay and restrict the processing of Personal Data either in part or in whole no later than 2 (two) working days from the time we receive the request for delay and restriction of processing of Personal Data from the Data Subject.
Internal Monitoring – Brankas will regularly supervise any party involved in the processing of Personal Data under the control of Brankas.
Provision of Personal Data access – Brankas provides the Data Subject with access to the processed Personal Data along with a track record of processing Personal Data in accordance with the period of retention of the Personal Data. The provision of such access is granted no later than 3 (three) working days from the date the Personal Data Controller receives the access request.
Denial of access to Personal Data – Brankas may refuse to grant personal data access to data in the event of known or should be expected:
- jeopardize the safety or physical health or mental health of data subjects and/or others;
- impact on the disclosure of other people’s Personal Data; and/or
- contrary to national defense and security interests.
Personal Data Update and Correction – Brankas will update and/or correct any errors and/or inaccuracies in Personal Data within 1 (one) working day from the time Brankas receives a request for updating and/or repairing personal data via email@example.com or chat, through the widget in the lower right corner, with our Support Team at https://brankas.com.
Guarantees for the accuracy, completeness, and consistency of Personal Data – Brankas guarantees the accuracy, completeness, and consistency of Personal Data in accordance with the provisions of the laws and regulations under which it operates. Brankas conducts verification of such processed Personal Data.
Termination of processing of Personal Data – Brankas will terminate the processing of Personal Data if:
- has reached retention period;
- the purpose of processing Personal Data has been achieved; or
- there is a request from Subject Data.
Deletion or destruction of Personal Data – Brankas will delete Personal Data if:
- Personal Data is no longer necessary for the achievement of the purposes for which personal data is processed;
- the Data Subject has withdrawn consent to the processing of Personal Data;
- there is a request from the Data Subject
- the retention period has lapsed; or
- Personal Data is obtained and/or processed unlawfully.
Appointment of a Personal Data Protection Officer – Brankas may appoint an officer or officer who performs the functions of personal data protection and has the following obligations and responsibilities:
- inform and advise Brankas as the controller of personal data to comply with the provisions in the prevailing laws and regulations;
- monitor and ensure compliance with applicable laws and regulations and privacy policies, including assignment, responsibility, awareness-raising, and training of parties involved in the processing of Personal Data, and related audits;
- provide advice on assessing the impact of processing activities and monitoring the performance of Brankas as a personal data controller and personal data processor; and
- coordinate and act as a contact person for issues relating to the processing of Personal Data, including consulting on risk mitigation and/or other matters.
The officer or officer performing the protective function of such Personal Data shall be appointed based on professional quality, knowledge of the laws and practices of personal data protection, and the ability to fulfill its duties, as well as pay attention to risks associated with the processing of Personal Data, taking into account the nature, scope, context, and purpose of processing.
CHAPTER IV - TECHNICAL SECURITY MEASURES
- Safeguards to protect Brankas computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
- Our ability to ensure and maintain the confidentiality, integrity, availability, and resilience of Brankas data processing systems and services;
- Regular monitoring for security breaches, and a process for identifying and accessing reasonably foreseeable vulnerabilities in Brankas computer network and system, and taking preventive and corrective actions against security incidents that can lead to a Personal Data breach;
- Our ability to restore the availability and access to Personal Data promptly in the event of a physical or technical incident;
- A process for regularly testing and evaluating the effectiveness of security measures;
- Encryption of Personal Data during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto; and
- Our determination of the level of security of Personal Data takes into account the nature and risks of Personal Data that must be protected in the processing of Personal Data.
Monitoring for security breaches – We install updated versions of anti-virus software on electronic computing devices that access the internet or wifi connections (desktops, notebooks, smartphones, iPads, and similar devices). We also use an intrusion detection system to monitor security breaches and alert us of any attempt to interrupt the system.
Security features of the software/s and application/s use - All software applications are reviewed and evaluated by our IT team before installing these in Brankas computers and devices to ensure the compatibility of security features with overall operations.
Encryption, authentication process, and other measures - Brankas personnel with access to Personal Data will verify their identity using a secure encrypted link and multi-level authentication as adopted by the IT Team.
CHAPTER V - RIGHTS OF THE DATA SUBJECT
As Data Subjects, you have the following rights in connection with the Processing of your Personal Data: the right to be informed, right to object, right to access, right to rectification, right to erasure or blocking, and right to damages. Stockholders, directors, officers, employees, and agents of Brankas are required to strictly respect and obey the rights of the Data Subjects.
Right to be Informed – You have the right to be informed whether your Personal Data will be, is being, or has been processed. You will be notified and furnished with the information indicated below before the entry of your Personal Data into our records:
- Description of the Personal Data to be entered into the system;
- Brankas identity as a personal data controller;
- Purposes for which they are being or will be processed, including Processing for direct marketing, profiling, or historical, statistical, or scientific purposes;
- Basis of Processing, when Processing is not based on your consent;
- Scope and method of Personal Data Processing;
- The recipients to whom the Personal Data are or may be disclosed or shared;
- Methods utilized for automated access, if you allow the same, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for you;
- The period for which the Personal Data will be stored; and
- The existence of your rights as a Data Subject, including the right to access, correct, and object to the Processing.
Right to Object - You have the right to object to the Processing of your Personal Data, including Processing for direct marketing, automated Processing, or profiling. You will also be notified and given an opportunity to withhold consent to the Processing in case of changes to the information supplied or declared to you in the preceding section.
When you object or withhold consent, we will no longer process your Personal Data, unless:
- The Personal Data is collected or processed under a legal process or needed to comply with a legal obligation; or
- The Processing is for obvious purposes, including when it is necessary for the performance of or concerning a contract to which you are a party, or when necessary or desirable in the context of an employer-employee relationship between you and us.
Right to Access – You have the right to reasonable access to, upon demand, the following, if such information is available to us:
- Contents of your Personal Data that were processed;
- Sources from which Personal Data were obtained;
- Names and addresses of recipients of the Personal Data;
- Manner by which your Personal Data were processed;
- Reasons for the disclosure of the Personal Data to recipients;
- Information on automated processes where the Personal Data will, or is likely to, be made as to the sole basis for any decision that significantly affects or will affect you; and
- Date when Personal Data concerning you were last accessed and modified.
Right to Rectification – You have the right to dispute the inaccuracy or rectify the error in your Personal Data, and we will correct it immediately and accordingly unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, we will ensure accessibility of both the new and the retracted Personal Data and the simultaneous receipt of the new and the retracted Personal Data to the intended recipients. In connection with this, recipients or third parties who have previously received such processed Personal Data will be informed of its inaccuracy and its rectification, upon reasonable request.
Right to Erasure or Blocking/Delisting - You have the right to suspend, withdraw, or order the blocking, delisting, removal, or destruction of your Personal Data from our system. This right may be exercised upon discovery and substantial proof of any of the following:
- The Personal Data is incomplete, outdated, false, or unlawfully obtained;
- The Personal Data is being used for purposes not authorized by you;
- The Personal Data is no longer necessary for the purpose for which they were collected;
- The Personal Data concerns private information that is prejudicial to you or other Data Subjects unless justified by freedom of speech, expression, or authorized by law;
- The Processing is unlawful;
- You or other Data Subjects' rights have been violated; or
- You withdraw consent or object to the Processing, and there is no other legal ground or overriding legitimate interest for us to continue the Processing;
We will notify third parties who have previously received such processed Personal Data that you have withdrawn consent or objected to the Processing thereof upon reasonable request.
Right to Object – The Data Subject reserves the right to object to decision-making actions based solely on automated processing of a person’s profile(profiling).
Right to Indemnification – The Data Subject reserves the right to sue and receive damages for the breach of his/her Personal Data in accordance with the provisions of the laws and regulations.
Transmissibility of Rights of Data Subjects – Your lawful heirs and assigns may invoke your rights as the Data Subject at any time after your death, or when you become incapacitated or incapable of exercising your rights.
Data Portability – When we process your Personal Data through electronic means and in a structured and commonly used format, you will have the right to obtain a copy of such data in an electronic or structured format that is commonly used and allows for your further use. The exercise of this right will primarily take into account your right to have control over your Personal Data being processed based on consent, for commercial purposes, or through automated means.
CHAPTER VI - DATA BREACHES AND SECURITY INCIDENTS
Data Breach Notification - All our stockholders, directors, officers, employees, and agents involved in the Processing of Personal Data are tasked with regularly monitoring for signs of a possible data breach or security incident. In the event that such signs are discovered, facts and circumstances will be reported to our authorized personnel within 24 hours from discovery for verification as to whether or not a breach requiring notification to regulators has occurred. If indeed there is a breach of such nature, we will notify any relevant government authority and affected Data Subjects according to requirements and procedures prescribed by law.
The notification will at least describe the nature of the breach, the Personal Data possibly involved, and measures are taken by Brankas to address the breach. The notification will also include measures taken to reduce the harm of the breach and the name and contact details of Brankas’ authorized personnel. The form and procedure for notification will conform with the law.
Breach Reports - All security incidents and Personal Data breaches will be documented through written reports, including those not covered by notification requirements. In the case of Personal Data breaches, a report will include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by Brankas. In other security incidents not involving Personal Data, a report containing aggregated data will be sufficient.
CHAPTER VII - DISPUTE RESOLUTION AND LAW
If there is a suspected violation of Personal Data committed by Brankas and/or a party affiliated with us that can be proven legally, then the aggrieved Data Subject or other related parties may file a dispute resolution through arbitration, court, or other alternative dispute resolution institution following the provisions of the laws and regulations. The law applicable in dispute resolution and/or the process of personal data protection court shall be carried out based on the applicable law in accordance with the provisions of the legislation. Valid evidence in the process of resolving this dispute is a tool of evidence as referred to in the law of the event and other evidence tools in the form of electronic information and/or electronic documents in accordance with the legislation. If it is necessary to protect Personal Data, the proceedings will be conducted privately.
CHAPTER VIII - OUTSOURCING AND SUBCONTRACTING
Any Personal Data Processing conducted by an external agent or entity (third-party service provider) on our behalf should be evidenced by a valid written contract with us. The contract should expressly set out the subject matter and duration of the Processing, the nature, and purpose of the Processing, the type of Personal Data and categories of Data Subjects, our obligations and rights, and the geographic location of the Processing under the contract.
The fact that we entered into such an arrangement does not give the said external agent or entity the authority to subcontract to another entity the whole or part of the subject matter of said arrangement unless expressly stipulated in writing. The subcontracting agreement will also comply with the criteria prescribed by the preceding paragraph.
In addition, both foregoing contracts described will include express stipulations requiring the external agent or entity (including the subcontractor) to:
- Process the Personal Data only upon our documented instructions, including transfers of Personal Data to another country or an international organization, unless such transfer is required by law;
- Ensure that an obligation of confidentiality is imposed on persons and employees authorized by the external agent/entity and subcontractor to process the Personal Data;
- Implement appropriate security measures;
- Comply with applicable laws and regulations, in addition to the obligations provided in the contract, or other legal act with the external party;
- Not engage another processor without our prior instruction, and any such arrangement will ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the Processing;
- Assist us, by appropriate technical and organizational measures, and to the extent possible, fulfill the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
- Assist us in ensuring compliance with the law, taking into account the nature of Processing and the information available to the external party;
- At our discretion, delete or return all Personal Data to us after the end of the provision of services relating to the Processing, including the deletion of existing copies unless storage is authorized by law;
- Make available to us all information necessary to demonstrate compliance with the law, and allow for and contribute to audits, including inspections, conducted by us or another auditor mandated by us; and
- Immediately inform us if, in its opinion, an instruction violates the law.
CHAPTER IX - SUMMARY OF PROCESSING ACTIVITIES
We have enumerated Brankas products that collect information about you and the uses of the information collected. Kindly note that these Brankas products are enumerated here as of the effective date of this Policy and may not include products or services in development as of that date.
CHAPTER X - HOW TO CONTACT US
Data Protection Officer and Support - firstname.lastname@example.org