Privacy Policy

I.          Scope of the Privacy Policy 

Orange Gateway ehf., here after Orange Gateway,  places strong emphasis on protecting the privacy of its customers and parties who communicate with Orange Gateway to safeguard their rights. This Policy contains information on the data Orange Gateway gathers about you, how it is used, how its security is ensured and your rights according to data protection legislation. 

II.         Types of personal data collected 

The collection and processing of personal data allows Orange Gateway to provide you, or companies which you work for or are connected with, with requested financial services. The personal data you submit includes: 

•          Basic information: Name, Icelandic Id. No., address, telephone number, email, name of employer and other basic information, as the case may be on nationality, marital status, spouse, children and connected parties such as legal guardians, holders of power of attorney or guarantors. 

•          Communication and contract information: All your interaction with Orange Gateway that takes place via email, online chat, in writing, in conversation and on social media. Orange Gateway also processes all information derived from or submitted in relation to any contracts you enter into with the Orange Gateway, e.g. for individual products or services.

•          Information about identification: Any copies of legally required or electronic identification, including copies of your passport or driver’s license, your preferred means of identification and communication channels. This also includes the time and date of your visits to the Orange Gateway ‘s branches if you chose to register your Id. No. when you visit.

•          Financial information: All information about your current and previous business and transaction history, including account balance and type, turnover, origin of funds, transaction statement and information about payment cards, payment history and orders along with information about income, expenses, financial commitments, and assets and liabilities. 

•          Information gathered through electronic monitoring: Audio and video recordings from surveillance cameras in the Orange Gateway ‘s facilities. 

•          Technical information and inferred data about behavior and use: About the equipment and devices you use to connect to the Orange Gateway‘s website and app such as user name, settings, IP number, type, number and settings of smart devices, operating system and browser type, language settings, how you connect to us, the origin and type of actions undertaken.

•          Public information: From public registries such as Registers Iceland, the Icelandic Property Registry, the vehicle registry, the Registrar of Enterprises, the Legal Gazette and other public registries. 

•          Sensitive personal data: on racial or ethnic origin, political affiliation, trade union membership, health information, biometric data. Note that when using biometric data such as your fingerprint or face to log in to Orange Gateway ’s app, identification takes place through your phone only and Orange Gateway does not receive copies of your biometric data. 

•          Other information: The list above is not exhaustive and Orange Gateway may process other personal data depending on the nature of the business relationship or your transactions with the Orange Gateway.

In exceptional cases, Orange Gateway may need to gather information classified as special categories of data. In other instances, financial information, e.g. transaction statements for payment cards or use of current accounts, may include sensitive personal data that may indicate certain behavior. We do not gather sensitive data about you nor do we process such data without clear authorization and unless absolutely necessary. Should you choose not to supply necessary information it may prevent Orange Gateway from providing the requested service.

Processing personal data of children 

The personal data of children may be processed if it is necessary to carry out requested transactions or provide a service, e.g. create an account. The Data Protection Act states that the consent of a guardian is required for children under 13 years of age in relation to the offer of information society services directly to a child.

III. Purposes for which Orange Gateway uses personal data 

Orange Gateway processes personal data for clear and stated purposes in accordance with the Data Protection Act, the Orange Gateway’s rules and this Policy. Processing of personal data may have various purposes, such as: 

•          To contact you, identify you and ensure the security and reliability of business transactions, through such means as due diligence on customers. Orange Gateway contacts customers through various channels, such as email, notifications on Orange Gateway website, Orange Gateway’s app and social media.

•          Carry out requested transactions, provide services and advice and respond to enquiries, such as establish and maintain a business relationship, perform payments analyze, financial standing with regard for the Orange Gateway‘s product and service offering in order to provide advisory service, including on asset management.

•          For security and archiving purposes to safeguard the interests of customers, employees and others who have dealings with the Orange Gateway, ensure the traceability of transactions through such means as electronic monitoring and investigate issues or prevent money laundering, terrorist financing, fraud and other criminal conduct. 

•          Develop the Orange Gateway‘s product and service offering, promote innovation and boost service levels, offer personalized and tailored services, respond to suggestions and complaints and process answers to marketing and/or service questionnaires. 

•          Develop solutions and reports for internal treasury purposes.

•          Operate and maintain the Orange Gateway’s websites and online services and improve user experience online, on apps and/or web-based solutions. 

•          Respond to legal requests and ensure cyber and data security by, among other things, analyzing, investigating and preventing fraud and other misconduct.

•          For marketing and promotional purposes and to provide personalized and tailored services, send messages about benefits and material that may interest you or you have requested. Note that photographs and video recordings are made at conferences, promotions and other events hosted by Orange Gateway and that these may appear publicly on the Orange Gateway’s websites, including social media.

•          Perform statistical analysis on certain products, services or communication channels, front office or other individual functions in the Orange Gateway’s operation. Such analysis is based on non-personally identifiable data, if possible.

Lawfulness of processing of personal data

For the most part, the gathering and other processing of your personal data by Orange Gateway is based on a contract between you and Orange Gateway for specific services and to provide the requested financial service or to satisfy legal obligations Orange Gateway is subject to as a regulated entity on the financial market. In certain cases, Orange Gateway will request your informed consent to process personal data. In such cases, you can withdraw your consent at any time, and then the processing covered by the consent is terminated. 

Finally, your data may be processed if it is necessary for the purposes of legitimate interests pursued by the Orange Gateway, you yourself or a third party. Such processing does not take place if it is clear that your interests outweigh the interest of Orange Gateway or a third party. The following processing operations are based on legitimate interests: processing of basic information from Registers Iceland, determination of benefit programs for customers and retention of the business history of former customers, classification and monitoring of loans, development and testing of new products and services, for marketing purposes and target group analysis, and for cyber and information security purposes.

Automated decision-making

In certain instances, Orange Gateway creates a personal profile using automated processing of your personal data to assess or anticipate aspects of your finances, such as development of financial standing or probability of default. Calculation of a credit score is an example of profiling. Profiles may also be prepared for marketing and cyber and information security purposes, e.g. to determine which benefit program suits you best, and by employing pattern analysis on Orange Gateway website to maximize the safety of your financial information. 

Profiling may also be a factor in automated decision-making that relates to you. In automated decision-making your personal data is processed automatically by software to reach a decision without the aid or involvement of human agency.

Automated decision-making only takes place with your consent, if it is a prerequisite for the conclusion or execution of an agreement between you and the Orange Gateway, or if authorized by law. You can submit objections or contest automated decisions by email to support@orangegateway.com.

IV. Where does Orange Gateway get information from and who is it submitted to? 

The aforementioned personal data in the Orange Gateway’s possession is usually gathered directly from you when you enter into a business relationship with the Orange Gateway, apply for a certain product or service, or contact Orange Gateway through such channels as email, online chat or by other means. 

Information can also be sourced from third parties, including Orange Gateway’s partners such as card issuers, payment service providers and public entities. Unconnected parties may also provide information about you, e.g. local credit information providers, customs and tax authorities and public registries. External parties are not authorized to submit information about you to Orange Gateway unless authorized to do so, for example with your consent or legal authorization. 

Orange Gateway may also need to disclose your personal data to domestic or foreign partners and/or service providers to provide you with certain services. Orange Gateway selects its partners and service providers with care and does not disclose personal data unless they comply with the Orange Gateway’s security demands. Foreign commercial Orange Gateway’s receive information to process and settle international payments. Partners for payment transfers and card issuance, claim collection, operation and hosting providers, IT system providers and credit bureaus and custodians of financial instruments are also entities who it may be necessary to divulge personal information to in order for Orange Gateway to provide its services.

Disclosure may also take place based on your consent, e.g. if you request that Orange Gateway provide fintech’s or other entities with your payment information. You can further authorize Orange Gateway to divulge other information, such as your name, email or phone number, to partners for marketing purposes.

In certain cases, Orange Gateway is obligate to divulge personal data to law enforcement authorities, other authorities or regulators both domestic and abroad, based on legal obligation or international contracts. Orange Gateway is focused on safeguarding the human rights of its customers, including their privacy, and processes such requests in accordance with documented procedures so that no more extensive information is provided beyond what is necessary at each time and only based on clear legal authorization. 

V. Your rights

The Data Protection Act affords you certain rights, including to information about whether Orange Gateway processes your personal data and how such processing takes place in the Orange Gateway’s operation.

VI. Security of personal data

No service or software is completely secure. Contact Orange Gateway at the earliest opportunity if you are concerned that your personal data may be in danger or if you think that someone may have acquired your password or other information by emailing support@orangegateway.com. You will be notified of any data breaches with Orange Gateway or its processors that affect you, in accordance with law. 

VII. Cookies

The Orange Gateway’s websites store cookies on your computer or smart device. Cookies are small text files that store information to analyze use of the Orange Gateway’s websites and improve user experience. Cookies are also used to tailor websites to your needs, e.g. by boosting the function of a website, saving your settings, processing statistical information, analyzing traffic through websites and for marketing purposes. 

The Orange Gateway’s websites utilize different types of cookies. So-called session cookies are generally deleted when a user leaves the website. Persistent cookies on the other hand are saved to the user’s computer or device and store your actions or selections on the Orange Gateway’s websites. 

Necessary cookies, such as statistics cookies and functionality cookies, activate functions on the Orange Gateway’s websites. They are a prerequisite of use of the Orange Gateway’s websites, allowing them to function as intended, and consent is not required as such cookies are based on the Orange Gateway’s legitimate interests. Necessary cookies are generally first party session cookies, used by Orange Gateway only. 

First party cookies are not a requirement for use of the Orange Gateway’s websites. They nevertheless play an important role in the use and functionality of websites as they facilitate use by, for example, auto-completing forms and saving settings. First party cookies only send information about you to Orange Gateway.

Third party cookies are in place because of services Orange Gateway purchases from third parties, e.g. analytic and advertising cookies. Their use allows Orange Gateway to tailor its websites to user needs, more effectively analyze use of websites and prepare marketing material and advertisements tailored to certain target groups by considering, amongst other things: 

• Number of visitors, number of visits per visitor, date and time of visit.
• Which pages on the websites are viewed and how frequently.
• Type of files downloaded from the websites.
• Which devices, operating systems and browsers are used during visits.
• Which search words from search engines lead to the websites.

Third party cookies send information about you to another website owned by a third party, such as Google or Facebook. These third parties may also save cookies to your browser and through them gather information about your visits to the Orange Gateway’s website and the content you are interested in. 

Most browsers have the option of changing settings to prevent cookies. Deleting cookies is also relatively simple. Here is some more information about deleting cookies. A more detailed description of cookies, including the third-party cookies Orange Gateway uses, is available on the Orange Gateway’s website. Information about the use of third party cookies is also available on the websites of these third parties

VIII. How long does Orange Gateway retain information? 

Generally, Orange Gateway retains your personal data for the duration of the business relationship, as long as required by law or to satisfy the Orange Gateway’s legitimate interests. The strict rules and regulations that apply to the Orange Gateway’s operation may require different retention times depending on the type or nature of your data. 

Audio and visual recordings from phones and security cameras are retained for 90 days and deleted automatically once that period elapses in accordance with the Data Protection Authority’s rules on electronic surveillance. Phone recordings that pertain to securities trading are retained for 5 years in accordance with the Act on Securities Transactions. 

Orange Gateway strives not to retain information in personally identifiable form for longer than is necessary and safeguards such information in every respect. 

Specific legislation also provides for the obligation to retain certain information such as accounting records, personal identification and other information required under the Act on Measures against Money Laundering and Terrorist Financing. Audio and visual content gathered from electronic surveillance with security cameras and audio recordings of telephone conversations is not retained longer than for 90 days, unless otherwise provided by law. 

IX. How do I get in touch?

Orange Gateway ehf is responsible for ensuring that all processing of your personal data complies with the Data Protection Act and rules and is the controller determining the processing of your personal data. 

Orange Gateway’ Data Protection Officer is responsible for ensuring that the Orange Gateway’s activities comply with applicable laws and rules on privacy and data protection. Please direct any queries, complaints or comments relating to the processing and handling of personal data to the Orange Gateway’s Data Protection Officer by email to support@orangegateway.com.

Orange Gateway reserves the right to update this Policy on a regular basis. Orange Gateway will inform you about major changes to the Policy before they become effective upon publication to the Orange Gateway’s website, https://www.ORANGEGATEWAY.COM. 

Approved initially on 1st of April 2024