Privacy PolicyPrivacy Policy
1. Introduction
Luso Homes is a product of Luso Digital Assets, Lda., created to give our clients (and business partners) an online real estate portal where clients can find properties to be sold or bought using cryptocurrency.
Luso Digital Assets respects their client’s privacy and is committed to protecting every personal data it accesses.
This Privacy Policy (or “Policy”) is issued on behalf of Luso Digital Assets, a company incorporated in Portugal, duly licensed before the Portuguese Central Bank (Banco de Portugal), with its registered office address at Rua Princesa D. Amélia, nr. 20 L, Funchal 9000 - 019 Portugal.
This Policy is issued in compliance with Regulation (EU) 2016/679 of 27 April 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data (or General Data Protection Regulation “GDPR”) and other legislation that may be issued on a national and European level regarding these matters.
This Policy must be read together with any other policies we may issue regarding the collection and processing of personal data so that you are fully aware of how and why we are using your data.
Although this Privacy Policy is of Luso Digital Asset’s responsibility, as the controller, the company nominates a Data Protection Officer (or “DPO”), who is responsible for overseeing any questions concerning this Policy.
If you have any questions about this Policy, including any requests to exercise any legal rights, please get in touch with our DPO by using the details set out in Section 9 below.
2. Purpose
The purpose of this Policy is to inform our clients and/or partners – both referred to as clients for the purpose of this Policy – as to how we handle their personal data when they use our services, visit our website and use the functionality contained within it (regardless of where they visit it from) and to inform them about their privacy protection rights and how the law protects them.
This website and Luso Digital Assets’ services are not intended and we do not knowingly collect data for children, or anyone under the age of 18 (eighteen) years old.
3. Collection of client’s personal data
Complying with the obligation to take appropriate measures to provide information in a concise, transparent, intelligible, and easily accessible way relating to data processing, please read the chart below where you will find further information about this topic.
| Question | Further information |
|---|---|
| What information do we collect about a client and on what grounds? | We may collect, use, store and transfer different kinds of personal data about our clients. Personal data, or personal information, means any information relating to an identified or identifiable natural person – being an identifiable natural person is one who can be identified, directly or indirectly. It does not include data where the identity has been removed (anonymous data). We have grouped the personal data we may collect as follows: • Identity data includes first name, middle names, last name, username or similar identifier, date of birth and gender. • Contact data includes physical address, email address and telephone numbers. • Financial data includes any bank account information. • Transaction data includes details about payments to our clients and transactions they perform to their selected beneficiaries. This information includes wallet address, amount, currency, type of transaction, source of funds, exchange rate, recipient name and bank details. • Technical data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices our clients use to access the website. • Profile data includes the client’s interests, preferences, feedback and survey responses. • Data imported by the user includes reputation or trade history. • Usage data includes information about how the client’s use the website. • Aggregated data such as statistical or demographic data that is derived from our client’s personal data, but is not considered personal data by the law as this data will not directly or indirectly reveal the client’s identity. We may aggregate our client’s usage data (e.g., information about how they use our website and related features) to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with some client’s personal data so that it can directly or indirectly identify them, we treat the combined data as personal data which will be used in accordance with this Policy. Through the course of our business relationship, we may ask for additional evidence, documents or declarations in order for us to comply with our legal obligations. These can include, but are not limited to, documents required to verify any information provided to us, or evidence of source of funds. We may collect this data based on the client’s permission and will or based on legal obligations, for example to comply with national and European legislation regarding Anti-Money Laundering and Counter Terrorist Financing, namely the Portuguese Law no. 83/2017 of August 18th and the Directive (EU) 2015/849 of the European Parliament and of the Council. of 20 May 2015, on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. We do not collect any details about race or ethnicity, religious or philosophical beliefs, intimacy or sex life, political opinions, trade union membership, information about health, and genetic, sexual orientation and biometric data. Nor do we collect any information about criminal convictions and/or offences. Luso Digital Assets is committed to the principle of data minimization and we ensure that we only collect and process personal data that is necessary for the purposes outlined in this Policy. |
| How do we collect the clients’ personal data? | We use different methods to collect data from and about our clients including through: Direct interactions – our clients may give us their personal information by completing our Onboarding process and providing supporting information and documentation for the purposes of helping us adhere to our compliance obligations, filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data they provide when they: • Apply for our products or services; • Request marketing to be sent to them; • Give us some feedback. Automated technologiesor interactions where technical data about the clients’ equipment, browsing actions and patterns that we may automatically collect as they interact with our website, by using cookies and other similar technologies. Regarding this matter, please see our Cookie Policy for further details. Third parties or publicly available sources where we may receive personal data or technical data about our clients from parties such as Google Analytics based outside the EU. |
| Do clients have to provide Luso with their personal data? | We require the providing of certain personal data (1) to allow the clients to use our certain services and the website and (2) when we need to collect personal data as imposed by law. |
| How does Luso use the clients’ personal data? | We will only use personal data when the client authorized its use and when law allows or complies us to do so, namely laws regarding Anti-Money Laundering and Counter Terrorist Financing or other that may be applicable. Most commonly, we will use the client’s personal data in the following circumstances: • When the client’s use a determined part of the website that requires them to register as a new customer; • To verify the client’s identity; • To provide certain services; • To make suggestions and recommendations about the goods or services that may be of interest the client; • Asking to participate in a survey or provide feedback relating to the website or our services; • Sending out circulars, reminders, and any important notifications; • Sending marketing communications if they have requested information from us (or purchased services from us); • Where it is necessary for our legitimate interests (or those of a third party) and their interests and fundamental rights do not override those interests; • Where we need to comply with a legal or regulatory obligation; • To improve our website. We will only use the client’s personal data for the purposes for which we collected it for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Please note that we may process the client’s personal data without their knowledge or consent, in compliance with the above rules, where this is required or permitted by law. We sometimes rely on consent as a legal basis for processing the client’s personal data. Clients have the right to withdraw consent at any time by contacting us. |
| Does that client have to inform of us of any changes to their personal data? | It is important that the personal data we hold about the client is accurate and current. Therefore, we require that our clients keep us informed if their personal data changes during the relationship with us. Also, our clients have the right to obtain the rectification of inaccurate personal data concerning them and/or to have incomplete personal data completed, including by means of providing a supplementary statement. |
| When do we disclose the client’s personal data? | Client’s personal data will be shared with the website’s hosting provider, only as necessary to fulfil the website-related services. We partner with and are supported by service providers around the world. Personal information will be made available to these parties only when necessary to fulfil the services they provide to us, such as website, software, system, and platform support; direct marketing services; cloud hosting services; advertising; data analytics; and order fulfilment and delivery. When using our services, the client’s personal data may be shared with our payment providers and banking partners to perform the relevant transaction. When a client transacts with Luso Digital Assets through Luso Homes, we may need to share their information with payment providers or banking providers, such as intermediary or beneficiary banks. For transparency, verification, and legal requirements, we are required to include certain information on the payment which could include: • Name; • Date of birth; • Address; • Beneficiary details; • Identity document. In the course of using our services, we may need to pass necessary information on to Governmental departments, regulatory bodies, the police, other law enforcement agencies or other third parties when we are legally compelled to do so. Our employees and contractors are required to follow our data privacy and security policies when handling personal information. We may partner with other organizations and, as part of these arrangements, our clients may also be considered customers of our business partners – in addition to being Luso Digital Assets clients’ through Luso Homes. Luso Digital Assets makes an effort in trying to only partner with corporations with the highest standards in the processing of personal data. Nonetheless, the clients should review the privacy statements of our partners if they would like to know more about the information they collect. Our third-party service providers are not permitted to share or use personal information we make available to them for any other purpose than to provide services to us. We require all third parties to respect the security of personal data and to treat it by the law. We do not allow our third-party service providers to use any personal data for their own purposes and only permit them to process personal data for specified purposes and following our instructions. We will only share personal information when we believe it is required, such as to comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities. |
4. Data security
We have put in place the appropriate security measures to prevent personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed.
In addition, we limit access to personal data to those employees and third parties who need to access such information to do their jobs or to complete the services we required from them. They will only process personal data on our instructions, and they are subject to a duty of confidentiality and contractual obligations that abide them to follow the law.
We store all data electronically in a secure manner to protect its confidentiality, integrity and availability. These data are stored on AWS servers, which are protected and actively maintained by firewalls. The AWS servers are encrypted and managed by Amazon, a company also bound to comply with legislation regarding data protection and with a comprehensive policy on these matters – for further information on how AWS manages data, please check their policy here: https://aws.amazon.com/pt/compliance/gdpr-center/.
Also, on the topic of how we keep our data secure, we use up-to-date anti-virus software and our servers have restricted access.
We cannot guarantee the security of information collected or transmitted electronically; however, we take reasonable care to safeguard any personal information that reaches us this way. Nevertheless, we have put in place procedures to deal with any suspected personal data breach and will notify our clients and any applicable regulator of a breach as we are legally required to do so.
5. Data retention
The personal data collected and processed by Luso Digital Assets, through Luso Homes, will be kept for the entire period in which the registration of the client’s user is on our website. They may, at any time, ask Luso Digital Assets to erase the personal data that they have made available.
In order to comply with certain legal obligations Luso Digital Assets may process personal data for a longer period, such as the legal limitation period associated with the prevention of money laundering and terrorist financing, which is 7 (seven) years.
6. Client’s legal rights
Complying with the obligation to take appropriate measures to provide information in a concise, transparent, intelligible and easily accessible form relating to client’s rights, please read the chart below where you will find further information about this topic.
| Legal right | Further information |
|---|---|
| Request access to personal data (commonly known as a “data subject access request”) | This enables the client, as the data subject, to obtain from Luso Digital Assets confirmation as to whether or not personal data concerning said client is being processed and, if so, access to the personal data and the following information: • The purposes of the processing; • The categories of personal data concerned; • The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; • The existence of the right to request from Luso the rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; • The right to lodge a complaint with a supervisory authority; • If the personal data was not collected from the data subject, any available information as to their source; • The existence of automated decision-making, including profiling, and, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. |
| Request the correction of any client’s personal data | This enables the client to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data they are providing to us. |
| Request erasure of the client’s personal data | his enables the client to ask Luso Digital Assets to delete or remove personal data where there is no good reason for us continuing to process it, subject to our legal and contractual obligations, or if you withdraw consent on which the processing is based and where there is no other legal ground for the processing. Clients also have the right to ask us to delete or remove their personal data when: • They have successfully exercised their right to object to processing (see below); • We may have processed their information unlawfully; or • When we are required to erase their personal data to comply with local law. Note, however, that we may not always be able to comply with the request of erasure for specific legal reasons which will be notified to said person, if applicable, at the time of their request. |
| Object to processing of personal data | Clients can object to data processing when, although we are relying on a legitimate interest (or that of a third party), the client feels such processing impacts their fundamental rights and freedoms. However, clients cannot object to the legally determined data processing or where we must process the client’s information to comply with a contract in which the client is a party. |
| Request restriction of processing of their personal data | This enables the clients to ask us to suspend the processing of their personal data in the following scenarios: • If they want us to establish the data’s accuracy; • When our use of the data is unlawful, but they do not want us to erase it; • When they need us to hold the data even if we no longer require it as they need it to establish, exercise or defend legal claims; or • They have objected to our use of their data, but we need to verify whether we have overriding legitimate grounds to use it. |
| Request the transfer of personal data to them or to a third party (“Right to data portability”) | We will provide the clients' personal data to them, or a third party they have chosen, in a structured, commonly used, machine-readable format, as long as this does not adversely affect the rights and freedoms of others. |
| Withdraw consent at any time when we are relying on consent to process clients’ personal data | The client has the right to withdraw their consent for the processing of specific data, at any time, if we are relying on consent to process this specific personal data. This will not affect the lawfulness of any processing carried out before they withdraw their consent. If the client withdraws their consent, we may not be able to provide certain products or services to them. We will advise the clients if this is the case at the time they withdraw their consent. |
If any client wishes to exercise any of the rights set out above, please contact our data protection officer as foreseen in Section 9 below.
What will Luso Digital Assets need from a client if he wishes to make a subject access request?
We may need to request the client for specific information to help us confirm their identity and ensure the right to access their personal data (or to exercise any of their other rights).
This is a security measure to ensure that personal data is not disclosed to any person who does not have a right to receive it. We may also contact the client to ask for further information concerning their request to speed up our response.
Does a client need to pay to access their personal data?
They will not have to pay a fee to access their personal data (or to exercise any other rights). However, we may charge a reasonable fee if their request is clearly unfounded, repetitive, or excessive. Alternatively, we may also refuse to comply with the request in these circumstances.
How long will it take to respond to a client’s subject access request?
We try to respond to all legitimate requests within 1 (one) month. Occasionally it may take us longer than a month if the request is particularly complex or the client has made several requests. In this case, we will notify the client and keep them updated.
7. Reviews and amends to the Policy
Our Privacy Policy is reviewed at least once a year to ensure that any new obligations and technologies, as well as any changes to our business operations and practices, are taken into consideration, as well as that it remains abreast of the changing regulatory environment. Any personal information we hold will be governed by our most recent Privacy Policy. Luso Digital Assets is entitled to the right to amend this policy whenever should be necessary. Every time an amendment takes place, the updated policy will be duly published on our public website.
8. Complaints
If you have a complaint about this Policy or any element of how we use your personal data, please contact us, through our data protection officer as foreseen in Section 9 below.
If you are not satisfied and are located in an EEA country, please contact your local data protection authority. You have the right to present a formal complaint. In Portugal said authority is CNPD – Comissão Nacional de Protecção de Dados, and its website is: https://www.cnpd.pt/
If you are based in, or the issue you would to complain about took place in the EEA, please visit this website https://edpb.europa.eu/aboutedpb/board/members_en for a list of local data protection authorities in other EEA countries.
9. Contact details
We have appointed a data protection officer (DPO) who is responsible for, among other things, overseeing questions about this Policy.
If you have any doubts or queries about this Policy or other matters related to data protection or processing, including any requests to exercise your legal rights, please contact our DPO Iara Batista, using the following e-mail address:iara.batista@lusodigitalassets.com
