Introduction and Purpose
This Privacy Policy is designed to inform you about how Aeon Finance (“Aeon” or “we”) collects, uses, and shares your Personal Data in compliance with international data protection laws, including the EU’s General Data Protection Regulation (“GDPR”). The purpose of this policy is to ensure transparency and to provide you with a clear understanding of our data processing practices. As a user of our services, this Privacy Policy outlines your rights to your personal data and our commitment to protect it.
Scope and Applicability
For the purposes of this policy, “Personal Data” refers to any information relating to an identified or identifiable natural person (such person a “Data Subject” or “you”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Privacy Policy applies to all Personal Data processed by Aeon in the course of its cross-border remittance business. This includes, but is not limited to, Personal Data that Aeon collects directly from Data Subjects or receives from its third-party service providers and strategic partners, including licensed money services businesses (MSBs) (collectively, “Third-Party Service Providers”), in the course of providing you with Aeon’s services.
By engaging with Aeon’s services, you consent to the collection, use, and sharing of your Personal Data as described in this Privacy Policy. You have the right to withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice, although doing so may affect Aeon’s delivery of the services.
Data Collection and Use
Categories of collected Personal Data. Aeon may collect various types of Personal Data from Data Subjects to perform its services, including but not limited to:
- Contact information (e.g., name, address, email, phone number).
- Financial information (e.g., bank account details, transaction history).
- Identification information (e.g., passport number, national ID).
- Technical data (e.g., IP address, browser information).
- Other identifying information (e.g. date of birth, nationality, employment)
Automatic data collection. Aeon may automatically log certain data about you, your computer or mobile device, and your interaction with the provided services, such as:
- Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers, language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 5G), and general location information such as city, region, or general geographic area.
- Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
- Communication interaction data such as your interactions with our emails, or other communications (e.g., whether you open and/or forward emails) – we may do this through use of pixel tags (which are also known as clear GIFs), which may be embedded invisibly in our emails.
Cookies and similar technologies. Some of the automatic collection described above is facilitated by the following technologies:
- Cookies, which are small text files that websites store on user devices to allow web servers to record users’ web browsing activities and remember their submissions, preferences, and login status as they navigate a site. Cookies used on our sites include both “session cookies” that are deleted when a session ends, “persistent cookies” that remain longer, “first party” cookies that we place and “third party” cookies that our service providers place.
- Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data on your device outside of your browser in connection with specific applications.
- Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate that a webpage or email was accessed or opened, or that certain content was viewed or clicked.
We may use cookies to allow the technical operation and enhance the functionality of our platform, and help us understand user activity.
Aeon’s use of Personal Data. Aeon uses your collected Personal Data for the following primary purposes:
- To facilitate international payments and transactions.
- To comply with legal and regulatory requirements, including any anti-money laundering (AML) or know-your-client (KYC) obligations, or for similar reasons to prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.
- To improve and personalize the services offered to Data Subjects.
- To send you direct marketing communications (which you may opt-out of at any time).
- To communicate with Data Subjects regarding their transactions and any changes to services.
Finally, in some cases, Aeon may ask for Data Subjects’ express consent to collect, use, or share Personal Data, such as when Aeon has a new legitimate purpose for using Personal Data that was not contemplated at the time Personal Data was originally collected.
Data Sharing and Third-Party Processors
In the course of providing services to the Data Subject, Aeon may share Personal Data with certain Third-Party Service Providers for the purpose of enhancing and facilitating the services offered, particularly in the context of international payments. This sharing of data will be conducted in a manner that is consistent with the GDPR and any other applicable international data protection laws.
The types of Personal Data that may be shared include, but are not limited to, a Data Subject’s contact and location information, financial information, and identification information. The sharing of this data is necessary for the execution of transactions, provision of customer support, and improvement of service quality.
Aeon maintains relationships with licensed MSBs and other third-party payment companies globally. These relationships are established to facilitate cross-border transactions and enhance the overall service offering to the Data Subjects. All third-party processors are required to adhere to data protection standards that are compliant with the GDPR and respect the privacy and security of the Data Subject’s data.
Before sharing any Personal Data with a Third-Party Service Provider, Aeon ensures that adequate data protection measures are in place and that the sharing is in compliance with applicable data protection laws, including the GDPR. The Data Subject will be informed of any significant changes to the list of third-party processors that may affect the processing of their Personal Data.
International Data Transfers
Aeon commits to ensuring the secure and lawful transfer of Personal Data across international borders in a secure and legally compliant way. Accordingly, Aeon will employ one or more of the following mechanisms for international data transfers, ensuring an adequate level of protection for the Personal Data:
- Entering into Standard Contractual Clauses (SCCs) as contemplated under the GDPR, which provide specific data protection guarantees.
- Transferring Personal Data to countries that have been deemed to provide an adequate level of data protection under the GDPR.
- Using other supplementary data protections measures, methods, or mechanisms permitted by, or that would be required to comply with, applicable regulations in the relevant jurisdiction(s).
Before any international transfer of Personal Data, Aeon will conduct a thorough assessment to ensure that all necessary safeguards are in place and that the rights of Data Subjects are fully protected.
Data Subject Rights
In accordance with the GDPR, Data Subjects have the following rights regarding their Personal Data:
- Right of Access: Data Subjects have the right to obtain confirmation from Aeon as to whether or not Personal Data concerning them is being processed, and, where that is the case, access to the Personal Data and the following information: the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipient to whom the Personal Data have been or will be disclosed. Data Subjects also have the right to obtain information about the safeguards in place for international transfers of their Personal Data, upon request.
- Right to Rectification: Data Subjects have the right to rectify inaccurate Personal Data concerning them, or have incomplete Personal Data completed, and may request Aeon to do so at any time.
- Right to Erasure (‘Right to be Forgotten’): Data Subjects may request erasure of Personal Data concerning them without undue delay under certain conditions, including if the Personal Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed, or if the Data Subject withdraws consent on which the processing is based.
- Right to Restriction of Processing: Data Subjects have the right to restrict data processing under certain conditions, such as if they contest the accuracy of their Personal Data, for a period enabling Aeon to verify the accuracy of the Personal Data.
- Right to Data Portability: Data Subjects have the right to receive the Personal Data concerning them, which they have provided to Aeon, in a structured, commonly used and machine-readable format, and have the right to transmit that data as they see fit.
- Right to Object: Data Subjects may object to the processing of Personal Data concerning them. If they do so, Aeon will no longer process their Personal Data unless it has a legally justifiable reason to do so.
- Right to Not be Subject to Automated Decision-making, Including Profiling: Data Subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
Data Subjects can exercise these rights by contacting Aeon directly as indicated at the end of this policy.
Data Security Measures
In compliance with data protection laws, Aeon is committed to implementing and maintaining comprehensive data security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to:
- Ensuring that all Personal Data is stored in secure, encrypted databases.
- Employing industry-standard cybersecurity practices, including firewalls, intrusion detection systems, and regular security audits.
- Limiting access to Personal Data to authorized personnel only, based on the principle of least privilege.
- Training employees on data protection best practices and the importance of maintaining the confidentiality and security of Personal Data.
- Using Secure Sockets Layer (SSL) technology for encrypting data during transmission.
- Implementing robust procedures for detecting, reporting, and investigating Personal Data breaches.
- Engaging with Third-Party Service Providers that adhere to equivalent standards of data protection.
Aeon also commits to regularly reviewing and updating its data security measures to adapt to new threats and ensure the ongoing protection of Personal Data.
Data Breach Notification
In the event of a Personal Data breach, Aeon will act in accordance with the requirements of the data protection laws applicable to the jurisdiction of the breach (or the Data Subjects affected by the breach). In general, Aeon will use the following procedure:
- Immediate Investigation: Upon becoming aware of a Personal Data breach, Aeon will promptly investigate the matter to determine the scope and impact of the breach.
- Notification to Authorities: If the breach poses a risk to the rights and freedoms of Data Subjects, Aeon will promptly notify the relevant data protection authority as per applicable legal timelines.
- Notification to Data Subjects: When the Personal Data breach is likely to result in a high risk of harm to Data Subjects, Aeon will communicate the breach to the affected Data Subjects without undue delay. This communication will describe in clear and plain language the nature of the Personal Data breach, the likely consequences of the breach, and the measures being taken to address the breach.
- Documentation: All Personal Data breaches, regardless of their impact, will be documented, including the facts relating to the breach, its effects, and the remedial action taken.
- Engagement of Third-Party Service Providers: If necessary, Aeon may engage Third-Party Service Providers to assist in the investigation and mitigation of the breach.
Compliance with the California Consumer Privacy Act
Aeon is committed to complying with the California Consumer Privacy Act (“CCPA”) and protecting the privacy rights of California residents. Specifically, Aeon does not sell Personal Data to third parties and is committed to protecting the privacy rights of all Data Subjects, including those residing in California. Data Subjects may exercise their rights under the CCPA by contacting Aeon directly as indicated at the end of this policy. Aeon will respond to any request within the timeframes required by the CCPA.
Policy Updates and Review
Aeon reserves the right to update and review this Privacy Policy periodically to reflect changes in legal requirements, our data collection and use practices, the features of our services, or advances in technology. The date of the last update will be indicated at the top of the Privacy Policy document. Aeon will provide notice to its Data Subjects of any significant changes.
It is the responsibility of the Data Subjects to review the Privacy Policy periodically and remain informed about any changes to it. Your continued use of the services provided by Aeon after any changes to the Privacy Policy take effect will constitute your acceptance of those changes.
Contact Information
In accordance with data protection laws, Aeon has designated a Data Protection Officer (DPO) to oversee compliance with data protection laws and regulations. Data Subjects may contact the DPO for any inquiries related to the processing of their Personal Data, or to exercise any of their rights under relevant data protection laws (all as described above).
The Data Protection Officer for Aeon can be reached at the following contact details:
Email: DPO@aeonfinance.com
Postal Address: 161 Bay St. 27th Floor, Toronto, ON, Canada.
Data Subjects are encouraged to include their contact information and a brief description of their request or concern in their communication with the DPO to facilitate a prompt and accurate response.
Date: 19 April, 2024