Data controller 

November First A/S 

Strandgade 98, 3rd fl., 1401 København 

CVR-no.: 37367605 

Danish FSA reg. no.: 22017  

Mail: data@novemberfirst.com 

1. Introduction 

November First process personal data about customers, persons associated with customers as well as partners and users of November First’s website and trading platform. November First protects the personal data and always complies with the laws in force to protect the personal data processed by November First. 

The goal of November First is to maintain a high level of security to protect personal data. In connection with this November First has taken the appropriate technical and organisational measures to ensure that personal data is protected against any, loss, manipulation, and unauthorised access.  November First continuously works on strengthening our security. 

This Privacy Policy applies to: 

• Visitors on the website, customers, and registered potential customers 
• Persons who are affiliated with one or more of November First’s customers who use or have used November First’s trading platform and services 
• All communication with November First 

 Information about November First’s services can be found in the "Terms and Conditions".

The Privacy Policy describes how and why November First processes personal data and protects the data subjects’ rights where November First is the data controller. 

2. Purpose of processing personal data

Depending on the customer’s customer relationship with November First, November First processes personal data for the following purposes:  

• To be able to provide and make November First’s services available  
• To provide customer service, administration of the customer relationship and to ensure the security, reply to enquiries and communicate regarding the services  
• To improve and develop November First’s products, including the website and services 
• To test, improve and develop November First’s systems and training of employees 
• Crime prevention and countering potential and actual fraud by processing information to detect and prevent suspicious activities  
• Marketing of products and services, including on behalf of or in cooperation with partners, on the basis of consent or if there is another legal basis  
• To comply with current legislation, including to fulfill November First’s legal obligations and other administrative purposes, including identification and verification according to the AML Act, risk management, and prevention of financial crime. According to law, November First is obliged to obtain documentation for persons identity depending on their affiliation with the customer on an ongoing basis, as long as the customer relationship exists 
• To control, test and monitor compliance with internal policies and procedures 

3. What personal data does November First process? 

November First process different types of personal data depending on which products, services and integrations are activated and the affiliation with the customer. This may include the following information: 

• In connection with applying for a customer account and the ongoing customer relationship management of the business customer, a variation of information is processed, such as CVR-number, contact information, owner- and control structure including the identity on beneficial owners and other company information. Furthermore, the purpose of the business relationship and the intended business scope 
• Personal information including name, citizenship, social security number or national identification number and identification documents such as a copy of passport, driver’s license and proof of address 
• Contact information including address, phone number, and email address. 
• Information on education, job title, experience, knowledge etc.  
• User information, registration data to validate identity and access rights 
• Information about services and products November First provides, use of the trading platform as well as preferences in connection with the use and the used devices 
• Information on all types of communication with November First 

• Digital information related to the use of November First’s website and platform including traffic data, location data, behavioural data, and other communication data, e.g., by using cookies and similar technologies 
• Information given about preferences for receiving marketing 
• Personal data that appears on invoices and from transactions November First is instructed to carry out. 

November First also processes other personal data where this is necessary to offer specific services or where this is a legal requirement. 

4. Legal basis for processing personal data 

The legal basis for November First’s collection and processing of personal data is the financial legislation and other regulations, including the AML Act, The Danish Bookkeeping Act, the General Data Protection Regulation (GDPR) and the Danish Data Protection Act.  

The specific legal basis can be the following:  

• Consent to the processing of personal data, cf. GDPR, art 6(1)(a) 
• The processing is necessary for the performance of a contract, cf. GDPR art 6(1)(b) 
• The processing is necessary for November First's compliance with a legal obligation, cf. GDPR art 6(1)(c) 
• It is necessary for the purpose of the legitimate interests pursued by November First, cf. GDPR art 6(1)(f). November First uses data for investigations, security, and fraud prevention. In this regard, November First uses personal data when necessary for security purposes or to investigate potential fraud or other violations of November First’s Terms and Conditions or any attempt to harm November First’s customers or business partners. Furthermore, data can be used regarding improving, developing, and maintaining November First's product and for business purposes such as giving the sufficient access to digital solutions the customer has requested. Additionally, for documentation purposes and to strengthen payment security and detect and prevent financial crime. 

The basis for the processing of sensitive personal data, cf. GDPR art 9, can be one of the following:  

• Explicit consent to the processing, cf. art 9(2)(a) 
• If it is necessary for the establishment, exercise or defence of legal claims, cf. art 9(2)(f) 
• The processing is necessary for reasons of public interest or based on Union or Member State law, cf. art 9(2)(g)    

Processing of data relating to criminal convictions and offences can take place with legal basis in GDPR art. 10 and national identification numbers according to the Danish Data Protection Act Section 11. 

Transfers of data to third countries occur in compliance with GDPR articles 45(1) and 46(2)(c). 

November First is, as a payment institute licensed by the Danish Financial Supervisory Authorities, subject to the AML Act (the Act on Measures to prevent Money Laundering and Financing of Terrorism). Hence, November First requests information on the identity of customers, and for legal persons, November First must identify the company's ownership and control structure, including the identity of the company's beneficial owners according to chapter 3 of the AML Act. 

Furthermore, November First is obligated to investigate transactions and store personal data in accordance with chapter 5 of the AML Act. 

In connection with November First providing payment services, November First processes personal data collected from the customer. The processing is based on the consent given upon acceptance of November First's terms and conditions. 

5. Collection of personal data 

November First collects personal data directly from our customers, persons associated with our customers or third parties. In addition, November First regularly process information about the use of the Platform and information received in relation to support, inquiries, and other communication. 

November First collects data to comply with legal obligations, including preventing and detecting money laundering or fraud, to fulfil agreements, provide services or products and serve customers in the best possible way. 

Third parties can be authorities, websites, social media, suppliers in the field of company information, registers and similar, and companies and persons subject to the AML Act. Public registers and other sources can also be used to validate information. 

When it is permitted in accordance with current legislation data can also be collected from external data processors, business partners including correspondent banks and other banks and vendors. 

November First collects information from devices, including technical information such as IP address; information on when and from where November First's website was visited, as well as information about the visits, including which links are clicked on, what articles are read, completed contact forms or downloaded content.  

In addition, November First uses cookies when visiting November First’s website. The purpose of this is to collect and process information about the visitors’ use of the website. For more information, please refer to November First’s cookie policy, that can be found at: https://www.novemberfirst.com/  

6. Disclosure of personal data with third parties 

In certain cases, November First discloses information to third parties who also protect the information. Sharing only takes place in accordance with applicable legislation. 

Disclosure of personal data can e.g., take place in the following cases where: 

• November First's partners help November First provide services through November First's integration and API (Application programming interface), such as using an ERP-system or payment initiation service agreement. November First only shares information if the business customer has asked to use this service or a partner's product 
• November First determines that it is required by law, or to protect individuals, their safety, and their rights or on the basis of government claims, bankruptcy, death, or similar cases. 
• It is allowed or necessary to disclose the information to comply with rules on investigation or reporting. 

Information can e.g., be disclosed to the following recipients: 

• Persons whom according to November First terms and conditions, has been recorded as contact persons, e.g., accountants or others associated with the customer 

• External data processors, business partners, banks, correspondent banks, and vendors, to deliver November First’s services to the customer 
• November First’s vendors including lawyers, accountants, and consultants 
• Data processors including other IT-suppliers e.g., regarding hosting and maintenance of November First’s services and data 
• Public authorities, supervisory authorities, and law enforcement authorities 
• With credit information agencies and/or warning registers in accordance with applicable rules in the event of breach of obligations 

The use of third parties 

Recipients of personal data can be independent data controllers regarding their processing of personal data; hence they will have their own Privacy Policy concerning how they process data. It is therefore important to read them as well.  

November First's sub-contractors or partners have access to information to the appropriate proportions to perform tasks on behalf of November First. They are obliged not to disclose the information or use it for other purposes.  

When November First uses external data processors, these only process personal data on behalf of November First for the specific purposes for which the personal data were originally collected, and only on the instructions of November First. November First also has a number of minimum-security requirements that November First’s data processors must always comply with. 

November First enters into data processing agreements with subcontractors in accordance with EU/EEA rules, EBA (European Banking Authority) guidelines, the Outsourcing Executive Order and GDPR to ensure a high level of protection. The agreements ensure that the processing of personal data by subcontractors is carried out in accordance with the applicable rules. The terms and conditions of the agreements always meet the requirements of the European Commission and the applicable data protection legislation. 

November First perform preliminary screening of potential suppliers to ensure a sufficient level of security in case of a possible upcoming processing of personal data. In addition, continuous supervision of suppliers is carried out in accordance with the rules in the Outsourcing Executive Order and the Danish Data Protection Authority's guidance on supervision of data processors. 

Confidentiality 

All employees of November First are subject to confidentiality, and employees may not inappropriately disclose or exploit confidential information that comes to the employees' knowledge through their work in November First.  

7. Transfer of personal data to third countries 

November First aims to apply data processors located in, or with the possibility of data storage inside the EU and EEA. However, November first uses data processors located in countries outside the EU and EEA, why data transfers to these may occur. 

The legal basis for these transfers is the EU-U.S. Data Privacy Framework or standardised contracts on data protection with the recipient as approved by the Commission (EUSCC’s). 

Where November First is instructed to initiate an international payment outside the EU and EEA, November First will, through partner bank, including correspondent banks, transfer the information entered to the beneficiary's bank's country for November First to provide November First's services and fulfil agreements.  

November First takes the necessary steps and measures to ensure that data is processed securely and in accordance with applicable laws. 

8. Automated decisions 

Depending on the services applied on the Platform, November First may in some cases make automated decisions. This can be in connection with increasing customer credit limit, the creation of authorizations, AML controls, etc.  

This means that November First may use technology to evaluate the circumstances of the transactions made or payments initiated. To be able to assess risks or investigate the background and intended nature of all complex and unusual transactions and the activities in any customer relationship with November First, to which November First is required to do under the AML Act. Furthermore, November First has a duty to document the results of November First's investigations.  

Depending on the specific decision, November First can apply systems or information from registers, including sanctions lists and public registers and sources. As a main rule, there will always be a person manually reviewing the decision.  

9. For how long does November First store personal data?

November First retains personal data for as long as is necessary in connection with the purposes for which it was collected and processed.  

November First retains data as long as necessary to comply with legal obligations under e.g., the AML Act, but at least 5 years after the termination of the access to the payment platform, the termination of the customer relationship, or after the completion of a single transaction. In some cases, November First retains personal data for longer, e.g., if it is necessary due to a person's association with the business customer or if the storage is required to fulfil other legal- or regulatory requirements.  

Other retention procedures may apply depending on the nature of the processing. If a business customer has requested a product or a service but does not become a customer of November First, personal data will normally be stored for a shorter period but can for various reasons be retained longer to fulfil legal requirements, e.g., according to the AML Act.  

10. Rights of the data subject 

Under GDPR, the following rights apply in relation to November First's processing of data: 

• The right to access the information that November First process as well as a number of additional information. However, the right to access may be restricted by legislation, the protection of other persons privacy or in consideration to November First’s business concept and business practices. November First’s knowhow, trade secrets and internal assessments and materials can also be prohibited from the right of access.  

• The right to have incorrect information corrected. 

• In certain cases, the right to have information deleted before November First’s general deletion occurs. However, there are certain exceptions where November First can or must retain the personal data, e.g., to comply with a legal obligation, the performance of a task carried out in the public interest, or the processing is necessary for the establishment, exercise, or defence of legal claims.   

• In certain cases, the right to have the processing of personal data restricted. If the right to have the processing restricted applies, henceforward November First may only process the data – except for storage – based on consent, or with the purpose of determining, exerting, or defending legal claims, or to protect a person or important public interests. 

• In certain cases, the right to object to November First's otherwise lawful processing of personal data. Furthermore, the right to object to the processing of data with the purpose of direct marketing. 

• In certain cases, the right to receive the personal data processed by November First in a structured, commonly used, and machine-readable format and to have that personal data transferred from one data controller to another without hindrance. 

• The right to withdraw consent at any time. Withdrawal does not affect the legality of November First’s earlier processing of personal data based on the previously given consent. Please note that if consent is withdrawn, November First might not be able to offer certain services or products, as well as November First continuously will use the personal data to e.g., fulfil a contract entered with the customer, or if November First is required to by law.  

More can be read about the rights in the Danish Data Protection Agency's Guidelines on the rights of the data subject, which can be found at www.datatilsynet.dk. 

11. Contact information and complaints 

Questions about the processing of personal data, or requests about exercising one of th rights described above, please contact our Data Protection Officer in one of the following ways: 

• E-mail: data@novemberfirst.com. 
• By letter: November First A/S, Strandgade 98, 3., 1401 København K, “Att.: DPO” 

A response can be expected from November First within 30 days of a request being received. 

If one is not satisfied with how November First process personal data a complaint can be filed to compliants@novemberfirst.com.  

Complaints can also be filed to the competent supervisory authority. The Danish Data Protection Agency’s contact details can be found at www.datatilsynet.dk. 

12. Changes 

November First may change this Privacy Policy. If November First makes significant changes to this, November First will notify the Customer through the Platform or otherwise, allowing for adequate review of all the changes. If these changes are not accepted, access may be terminated in accordance with the Terms and Conditions. If use of the Platform continues after November First has made changes to this Privacy Policy, this constitutes an acceptance of the updated Privacy Policy.