Article 1: General

1. Fundion collects and uses certain Personal Data. Fundion has a responsibility to ensure that Personal Data is used in accordance with data protection laws.
2. At Fundion, we respect your privacy and are committed to protecting your Personal Data.
3. This Privacy Statement is aimed at individuals whose Personal Data we Process in the course of our commercial activities. These may be customers or potential customers or their representatives, agents or persons appointed by them, or an employee, director, officer or representative of another organization with which we have a business relationship. This Privacy Statement is also directed at visitors to our websites.

Article 2: Definitions

For the purposes of this Privacy Statement, the following terms shall have the following meanings:

1. Data Subject, Third Party, Personal Data, Processor, Processing and Controller: the terms as defined in Article 4 of the GDPR.
2. Asset manager: the company that, for the management of the fund from which Financiers wish to grant loans to businesses and/or Entrepreneurs, has entered into an Agreement with Controller for this purpose.
3. GDPR: the General Data Protection Regulation.
4. Data breach: an infringement in connection with Personal Data, as referred to in Article 4 under 12 of the GDPR.
5. Service: the service called Controller servicing that is provided to the Client and is described in the Agreement.
6. Financier: the company that provides loans to businesses and/or Entrepreneurs and that has entered into an Agreement with Controller for this purpose or makes use of the services offered by Asset Manager for this purpose.
7. Controller: the private company Fundion Servicing B.V., administratively located at de Opslach 79, 8448GV Heerenveen, registered in the Chamber of Commerce Oost Nederland under number 69779694.
8. Fyndoo: the software program used by Controller for the execution of the Service.
9. Personal Data: all data (including documents) that the Client makes available or enters when using the Service, as well as all data (including documents) that are processed and created when using the Service, as far as the forementioned data meets the definition of Article 4 (1) GDPR.
10. Entrepreneur: the natural person (in the case of a sole proprietorship or a V.O.F.) or the director-shareholder of a legal entity wishing to take out a loan with Financier, which may or may not be provided from the fund managed by the Asset Manager, and whose Personal Data are processed by Controller in the context of the Service it provides to the client. It can also be an executive director or Ultimate Beneficial Owners of our business partners or clients, whose personal data are processed in the context of a KYC compliance check.
11. Client: the Asset Manager or Financier who has entered into an Agreement with Controller in the context of the Service.
12. Agreement: the Agreement concluded between Controller and the Client, which is also the contractual basis for the provision of the Service.
13. Parties: Controller and Client.
14. Privacy regulations: these regulations of Controller that describe how Controller interprets the protection of Personal Data in accordance with the legal provisions as included in the GDPR.

Article 3: Subject matter and division of roles

1. This Privacy Statement applies to the Processing in the context of the purposes referred to in Article 6 and is part of the Agreement. This Privacy Statement will be accepted by the Client and made available to the Client at the time of entering into the Agreement.
2. Controller is the Controller for the Processing of the Personal Data of the Client’s employees. Controller is also the Controller for the Processing of the Personal Data of the Entrepreneurs.
3. In addition to Controller, the Client is also the Controller for the Processing of the Personal Data of the Entrepreneurs and (if applicable) Financiers.
4. By using the Service, the Client explicitly agrees with the Processing by Controller of the Personal Data of its employees as well as of the Personal Data of the Entrepreneurs and (if applicable) Financiers, all this as described in this Privacy Statement and the Agreement.

Article 4: Basis for Processing Personal Data of (employees of) the Asset Manager and/or Financier

1. Controller processes the Personal Data of (employees of) Asset Manager and/or Financier for the purpose of concluding the Agreement, the performance of the Service, in the context of a legal obligation and in the context of the legitimate interest of the Client and/or itself.
2. The Personal Data referred to in paragraph 1 relate to all Personal Data entered and information provided by the Client when using the Service. The following Personal Data are processed by Controller:
   • the name, function and business contact details of the natural person(s) that the Service uses on behalf of the Client;
   • technical information, such as the computer of the person referred to under a., the operating system, the browser, the statistics regarding viewed pages within the software used by Controller, the geographical location, the referring URL and the IP address;
   • information that Controller (or its subcontractor on its behalf) collects using cookies and web beacons.
3. In addition to the Processing referred to in paragraphs 1 and 2, Controller Processes the Personal Data relating to Asset Manager or Financier in the context of compliance with the Money Laundering and Terrorist Financing Prevention Act (Wwft). This concerns:
   • the identity details (such as names, gender, date of birth, place and country, nationality, marital status, details about and on the identity card and other (contact) details);
   • (if applicable) information on the residence status;
   • details of the Financier’s profession and business;
   • Financial data, including:
     • (if applicable) information about Financier’s company (including trade name,  VAT and Chamber of Commerce number, sector, annual accounts, directors, shareholders and Ultimate Beneficial Owners);
     • bank and payment details.
4. By entering into the Agreement, the Client agrees that Controller will proceed with the Processing of the Personal Data referred to in this article. Controller is responsible for Processing the Personal Data referred to in this article and therefore has independent control over the purpose and means of Processing this Personal Data.
5. The Client himself fulfils his information obligations from the GDPR towards the Data Subjects referred to in this article, whereby the Client will in any case report on the Processing to be carried out by Controller.
6. The Client indemnifies Controller against any claims from third parties, which in any case include the Data Subjects referred to in this article and the supervisor, which relate to the Processing carried out by Controller within the framework of the performance of the Service, unless there is an infringing Processing for which Controller itself is responsible.

Article 5: Basis of the Processing of Entrepreneurs

1. In addition to the Processing as referred to in Article 4, Controller Processes the Personal Data relating to the Entrepreneur for the performance of the Service, in the context of a legal obligation and in the context of the legitimate interest of the Client and/or itself.
2. The Personal Data referred to in paragraph 1 concern – depending on whether this is necessary for the implementation of the Agreement concluded between the Parties -:
   • the identity details (such as names, gender, date of birth, place and country, nationality, marital status, details about and on the proof of identity and other (contact) details);
   • (if applicable) information on the residence status;
   • details of the Entrepreneur’s profession and business;
   • Financial data, including:
   • interest rates, premiums, conditions of the products that the Entrepreneur has applied for and of the agreement that the Entrepreneur has concluded.
   • turnover data;
     • information about the company (including trade name, VAT and Chamber of Commerce number, branch, annual accounts, directors, shareholders and Ultimate Beneficial Owners);
     • WOZ value of any real estate;
     • income from a possible spouse, registered partner or tax partner;
     • information about the assets;
     • data on any obligations (such as current credits and mortgages);
     • data on creditworthiness;
     • bank and payment details.
3. By entering into the Agreement, the Client agrees that Controller will proceed with the Processing of the Personal Data referred to in this article. Controller is responsible for Processing the Personal Data referred to in this article and therefore has independent control over the purpose and means of Processing this Personal Data.
4. The Client shall himself fulfil his information obligations towards the Entrepreneurs under the GDPR, whereby the Client shall in any case report on the Processing operations that are carried out by Controller.
5. The Client indemnifies Controller against any claims from third parties, which in any case include the Entrepreneurs referred to in this article and the supervisor, in connection with the Processing carried out by Controller within the framework of the performance of the Service, unless there is an infringing Processing for which Controller itself is responsible.

Article 6: Basis of the Processing of Personal Data of interested website visitors

1. Controller processes the Personal Data of interested website users who wish to use the services of Controller by leaving personal data on www.fundion.nl for information and contacting Controller in any other way.
2. The Personal Data referred to in paragraph 1 concerns all data filled in by the interested party that can be filled in on the contact form. The following Personal Data will be processed by Controller:
   • the email address which is filled in by the interested party, which may be personal data;
   • The telephone number of the interested party which may be personal data;
   • The content of the message that is filled in by the interested party.
3. The above mentioned information is requested for the purpose of providing the interested Data Subject with the requested information and maintaining contact with him/her.
4. The Personal Data as mentioned in this article will be deleted within 6 month from the moment the request is processed.

Article 7: Purposes of Processing Personal Data

1. Controller Processes the Personal Data referred to in Articles 4-6 for the following purposes:
   • the provision of its Services, consisting of facilitating the process of applying for a loan, including assessing the creditworthiness, drawing up loan documentation, monitoring, revising and managing the loans;
   • if applicable: the verification of identity and reliability under the Money Laundering and Terrorist Financing Prevention Act (Wet ter voorkoming van witwassen en financiering van terrorisme, Wwft);
   • the promotion of safe trade via the Service and the follow-up of complaints and/or reports with regard to unlawful acts via the Service;
   • answering questions from the (employees of) the Asset Manager, Financiers or Data Subjects;
   • compliance with these Privacy Regulations and the Agreement;
   • measuring the interest in its Service and improving and/or promoting the Service;
   • improving risk models;
   • maintaining and expanding the (commercial) relationship with the Client and the Entrepreneur (for example by offering other services to the Client or offering an alternative product to an Entrepreneur);
   • carrying out market research;
   • the conversion of the Personal Data into statistical data, the result of which can no longer be traced back to persons;
   • the implementation of applicable laws or regulations concerning the Processing;
   • any other purposes as specifically described when collecting the information.

Article 8: Confidentiality and transfer of Personal Data to third parties

1. The parties shall ensure that everyone, including employees, representatives and/or any Processors, involved in the Processing shall keep this information confidential. Controller will ensure that a confidentiality agreement or clause has been concluded for everyone involved in the Processing.
2. The confidentiality obligation referred to in paragraph 1 does not apply insofar as the Client has explicitly consented to provide the Personal Data to a third party, if the provision of these Personal Data to a third party results from the nature of the purposes as stated in article 5 or if there is a legal obligation or a judicial decision to provide the Personal Data to a third party.
3. Within the framework of the execution of the Service, Controller is authorized to provide the Personal Data to Clients and the following categories of Processors:
   • The software supplier engaged by Controller (Topicus.Finance B.V.) or a hosting party;
   • Credit registration agencies (such as Graydon, CompanyInfo, and BKR);
   • Know your Client (KYC) service providers (such as Lexis Nexis and Partner in Compliance);
   • Wwft review bureaus (such as Graydon);
   • Partners in the legal structure ( such as Hendrick Holding B.V. and its partners Credion Association B.V. Fundion Holding B.V. and Fundion Origination B.V.) .
4. If Controller proceeds to provide the Personal Data to other categories of parties than those referred to in paragraph 3, Controller shall inform the Client thereof separately.

Article 9: Modification of Personal Data, Rights of Data Subjects and cooperation

1. Client can view the Personal Data of the Entrepreneurs within Fyndoo.
2. To view the Personal Data stored and not directly accessible through the Service, the Client can contact Controller, unless Controller is not obliged under the GDPR to provide such access.
3. If the Personal Data processed by Controller are factually incorrect or incomplete or are irrelevant for the purposes for which Controller Processes the Personal Data, the Client can request Controller to improve, supplement, remove or protect the Personal Data. Such requests will be dealt with in accordance with the applicable laws and regulations in the field of Personal Data (including the GDPR, the GDPR Implementation Act and the Wft). This request can be send to info@fundion.nl.
4. In addition to the rights of rectification and erasure described in 9.3 above, a Data Subject has the right to be informed, to gain access, to restrict processing, to data portability, and has rights related to the automated decision making, including profiling. Requests in relation to these rights can be send to the Controller, as per 9.3 above.
5. A complaint or request from a Data Subject or Financier with regard to the Processing of his Personal Data will be dealt with by Controller in consultation with the Client. A Data Subject also has the right to file a complaint with the Autoriteit Persoonsgegevens (www.autoriteitpersoonsgegevens.nl).
6. The parties will – as far as reasonably possible and necessary – cooperate with each other:
   • to comply within the statutory deadlines with the obligations under the applicable legislation and regulations in the field of Personal Data (including the GDPR, the GDPR Implementation Act (Uitvoeringswet AVG) and the Wet Financieel Toezicht), more specifically the duty to provide information to and respect the rights of Data Subjects, such as a request to inspect, correct, supplement, destroy or protect their Personal Data;
   • in the context of audits;
   • in carrying out the data protection impact assessment (DPIA) and any resulting consultation with the Autoriteit Persoonsgegevens for Personal Data;
   • in responding to requests from the Autoriteit Persoonsgegevens or any other public authority;
   • in the preparation, assessment and reporting of Data Breaches.

Article 10: Retention period and destruction of Personal Data

1. The Personal Data will not be kept longer than is necessary for the purposes as described in article 7. Personal Data which, pursuant to applicable (tax) laws and regulations, must be kept by Controller for a longer period of time, will not be kept longer than 7 years after termination of the Agreement.
2. In the event of termination of the Agreement, the arrangements set out in Article 8 of the Agreement with regard to the return and deletion of the Personal Data shall apply.
3. The information related to the Client and/or Entrepreneurs and resulting from the use of the Service will only be kept longer than the period referred to in paragraph 1, in a form that no longer makes it possible to identify the Data Subject.

Article 11: Security and control

1. Controller and its suppliers take various technical and organizational measures (including encryption, passwords, physical security) to protect and protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction or civilization.
2. All Personal Data is stored on multiple servers in secure data centers which are guarded and monitored 24 hours a day, 7 days a week. Only a limited number of authorized persons have access to these servers which are physically located at multiple locations in the eastern Netherlands.
3. The personal data is stored encrypted and illegible for unauthorized persons.
4. The Service is secured with an encrypted connection (256-bit SSL – shown by the lock symbol in the browser) to ensure security between the Client’s computer and the servers of (the suppliers of) Controller.
5. The measures referred to in the preceding paragraphs guarantee, taking into account the state of the art and the costs of implementation, an appropriate level of security in view of the risks involved in the Processing and the nature of the Personal Data to be protected. The measures are also aimed at preventing unnecessary collection and further Processing. The Personal Data will not be transferred outside the European Economic Area.
6. The security of the Personal Data is regularly tested by leading external parties and according to internationally recognized testing procedures.

Article 12: Exchange of information and data breaches

1. The parties shall inform each other of facts which they can reasonably expect to affect the Processing by the other Party. If there is a change in the Service that affects the Processing and/or security of the Personal Data, Controller will inform the Client immediately.
2. The parties will inform each other as soon as possible about each Data Breach. The parties will immediately take all reasonable measures to the best of their ability that are necessary to safeguard Personal Data, restore security and prevent further unauthorized access, modification and provision of the Personal Data. Parties shall take these measures at their own expense, unless it appears that the Data Breach can be attributed to one of the Parties, in which case the costs shall be borne by that Party. In such cases, the Parties will cooperate with each other on request to inform the competent authorities and the Parties concerned.
3. Insofar as a Party is required to inform the Data Subjects about one or more Data Breaches as referred to in the preceding paragraphs, the Parties will provide each other with all necessary cooperation. Parties are entitled to charge each other any reasonable costs involved, depending on the question of who can be considered responsible for the Data Breach.

Article 13: Amendment of the Privacy Statement

1. Controller is at all times entitled to unilaterally amend and/or supplement this Privacy Statement. The most current version will be found in Fyndoo within the Client environment. Changes will also be brought to the attention of the Client during the use of the Service and the Client will be given the opportunity to download the new version of the Privacy Statement.
2. If the use of the Service is continued after this Privacy Statement has been amended or supplemented, these will be deemed to have been accepted by the Client, unless the Client has objected to this within seven days of the notification. If the Client does not agree with the amended or supplemented Privacy Statement, he is entitled to terminate the use of the Service with immediate effect.
3. Parties have the right to renegotiate the amendment of this Privacy Statement if this is necessary as a result of changes in the Processed Personal Data, the applicable security requirements and/or a change is necessary for compliance with the applicable laws and regulations.
4. This Privacy Statement was last amended in July 2024.