Version 1.0
Prepared by: @Lorraine Sebata
Approved by: @Feli Capron
Reviewed date: 2025-07-25
Next review date: 2026-07-24
This policy applies to all employees, agents, contractors, and third parties acting on behalf of Easyterms across all business lines, products, and services.
This Customer Data Privacy Policy outlines Easyterms' commitment to protecting the privacy of personal data collected from its customers. It establishes the principles for the collection, use, storage, disclosure, and disposal of customer data, ensuring compliance with data protection laws and upholding customers' rights regarding their personal information.
This policy applies to all employees, agents, contractors, and third parties acting on behalf of Easyterms across all business lines, products, and services. It covers all personal data (as defined by applicable data protection laws) collected from customers, regardless of the format in which it is held.
3.1 Data Protection Principles Easyterms adheres to the following data protection principles:
Lawfulness, Fairness, and Transparency: Personal data will be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Personal data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimization: Personal data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data will be accurate and, where necessary, kept up to date.
Storage Limitation: Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality: Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
3.2 Legal and Regulatory Compliance The company is committed to full compliance with all applicable national and international data protection laws and regulations, including but not limited to [mention specific local laws, e.g., GDPR, CCPA, local Data Protection Acts].
3.3 Customer Consent Where required by law, personal data will be collected and processed only with the explicit and informed consent of the customer. Customers will be informed about the purposes of data collection and their rights.
3.4 Data Collection and Use Personal data will be collected only for legitimate business purposes, such as customer identification, credit assessment, service provision, and regulatory compliance. The use of data will be consistent with the purposes for which it was collected.
3.5 Data Security Robust technical and organizational measures shall be implemented to protect customer personal data against unauthorized access, accidental loss, destruction, or damage. This includes encryption, access controls, firewalls, and regular security audits.
3.6 Data Retention Customer personal data will be retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by legal and regulatory obligations. Data will be securely disposed of once no longer needed.
3.7 Data Subject Rights Customers have the right to:
Access their personal data.
Request correction of inaccurate data.
Request erasure of their data (the "right to be forgotten").
Object to the processing of their data.
Request restriction of processing.
Data portability.
Withdraw consent at any time, where processing is based on consent. Procedures will be in place to facilitate the exercise of these rights.
3.8 Data Sharing and Transfers Personal data will not be shared with third parties unless there is a legal basis for doing so (e.g., Customer consent, legal obligation, legitimate interest). Any international transfers of personal data will comply with applicable data protection laws and ensure adequate safeguards.
3.9 Data Breach Notification In the event of a personal data breach, Easyterms will assess the risk to individuals' rights and freedoms and, where required, notify the relevant supervisory authority and affected data subjects without undue delay.
Board of Directors / Senior Management: Overall responsibility for approving and overseeing the Customer Data Privacy Policy and ensuring its effective implementation.
Data Protection Officer (DPO) / Privacy Officer (if applicable): Appointed by senior management, responsible for advising on data protection compliance, monitoring adherence to this policy, and acting as a contact point for supervisory authorities and data subjects.
IT Department: Responsible for implementing and maintaining technical security measures and systems to protect customer data.
Compliance Department: Responsible for developing, implementing, and maintaining data privacy procedures and training programs.
All Employees: Responsible for understanding and adhering to this policy and related procedures, handling customer data in accordance with privacy principles, and reporting any suspected data privacy incidents.
This policy will be reviewed at least annually, or more frequently if there are significant changes in data protection laws, regulations, business operations, or identified risks.