Privacy Policy

Privacy Policy

MyAssets will implement and maintain technical and organisational measures to protect Your information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalised have meanings defined under the following conditions.

The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

  • Account means a unique account created for You to access our Service or parts of our Service.
  • Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
  • Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to MyAssets.
  • Cookies are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.
  • Data Controller for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.
  • Do Not Track (DNT) is a concept that has been promoted by US regulatory authorities, in particular the U.S. Federal Trade Commission (FTC), for the Internet industry to develop and implement a mechanism for allowing internet users to control the tracking of their online activities across websites.
  • Personal Data is any information that relates to an identified or identifiable individual.
    For the purposes for GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
    For the purposes of the CCPA, Personal Data means any information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with You.
  • Service refers to the MyAssets website and application.
  • Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service, to assist the Company in analysing how the Service is used or to assist the Company in promoting the Service.
    For the purpose of the GDPR, Service Providers are considered Data Processors.
  • Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
  • Website refers to the MyAssets website, accessible from https://MyAssets.com
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
    Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

  • Email address
  • First name and last name
  • Display picture
  • Files you have uploaded
  • Phone number
  • Mailing Address
  • Home address
  • Internet Domain Names
  • Assets, Debts – Details and Value
  • Net Worth
  • Insurance details
  • Beneficiary Name, Email and Phone
  • Backup beneficiary Name, Email and Phone
  • Credit Card Details

 

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

Tracking Technologies and Cookies

We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyse Our Service.

You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.

Cookies can be “Persistent” or “Session” Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.

We use both session and persistent Cookies for the purposes set out below:

Necessary / Essential Cookies

Type: Session Cookies

Administered by: Us

Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.

 

Cookie

Duration

Description

elementor

never

This cookie is used by the website’s WordPress theme. It allows the website owner to implement or change the website’s content in real-time.

_cfruid

session

Cloudflare sets this cookie to identify trusted web traffic.

_GRECAPTCHA

5 months 27 days

This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.

cookieyes_privacy_policy_generator_session

2 hours

CookieYes sets this cookie to identify a session instance for a user.

cookieyes_session

2 hours

CookieYes sets this cookie to identify a session instance for a user.

Cookies Policy / Notice Acceptance Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies identify if users have accepted the use of cookies on the Website.

Cookie

Duration

Description

cookieyes-consent

1 year

CookieYes sets this cookie to remember users’ consent preferences so that their preferences are respected on their subsequent visits to this site. It does not collect or store any personal information of the site visitors.

Functionality Cookies

Type: Persistent Cookies

Administered by: Us

Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.

Cookie

Duration

Description

_hjAbsoluteSessionInProgress

1 day

This cookie is used to count how many times a website has been visited by different visitors. This is done by assigning the visitor an ID, so the visitor does not get registered twice.

Tracking and Performance Cookies

Type: Persistent Cookies

Administered by: Third-Parties

Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new advertisements, pages, features or new functionality of the Website to see how our users react to them.

Cookie

Duration

Description

_ga

1 year 1 month 4 days

The _ga cookie, installed by Google Analytics, calculates visitor, session, campaign data, and also keeps track of site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.

_gid

1 day

Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website’s performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

_gat

1 minute

This cookie is installed by Google Universal Analytics to restrain the request rate and thus limit the collection of data on high-traffic sites.

_hjTLDTest

session

To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.

CONSENT

2 years

YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

_gcl_au

3 months

Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.

CLID

1 year

Collects data on the user’s navigation and behavior on the website. This is used to compile statistical reports and heatmaps for the website owner.

_clck

1 year

Collects data on the user’s navigation and behavior on the website. This is used to compile statistical reports and heatmaps for the website owner.

_clsk

1 day

Registers statistical data on users’ behavior on the website. Used for internal analytics by the website operator.

_hjFirstSeen

30 minutes

Hotjar sets this cookie to identify a new user’s first session. It stores the true/false value, indicating whether it was the first time Hotjar saw this user.

MR

7 days

This cookie, set by Bing, is used to collect user information for analytics purposes.

_ga_*

1 year 1 month 4 days

Google Analytics sets this cookie to store and count page views.

_hjRecordingLastActivity

never

Hotjar sets this cookie when a user recording starts and when data is sent through the WebSocket.

_hjRecordingEnabled

never

Hotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.

_hjSessionUser_*

1 year

Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.

_hjSession_*

30 minutes

Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.

_cltk

Session

Registers statistical data on users’ behavior on the website. Used for internal analytics by the website operator. 

_hjAbsoluteSessionInProgress

1 day

This cookie is used to count how many times a website has been visited by different visitors. This is done by assigning the visitor an ID, so the visitor does not get registered twice.

_hjIncludedInSessionSample_904797

2 minutes

Hotjar sets this cookie to determine if a user is included in the data sampling defined by your site’s daily session limit.

VISITOR_PRIVACY_METADATA

5 months 27 days

YouTube sets this cookie.

Advertisement

 

Cookie

Duration

Description

_fbp

3 months

Facebook sets this cookie to display advertisements when the user is either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.

__tld__

session

This cookie is used to track visitors on multiple websites in order to present relevant advertisement based on their preferences.

fr

3 months

Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.

YSC

session

YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

VISITOR_INFO1_LIVE

5 months 27 days

A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.

test_cookie

15 minutes

The test_cookie is set by http://doubleclick.net and is used to determine if the user’s browser supports cookies.

yt-remote-device-id

never

YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

yt-remote-connected-devices

never

YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

SM

session

Registers a unique ID that identifies the user’s device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.

MUID

1 year 24 days

Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.

ANONCHK

10 minutes

The ANONCHK cookie, set by Bing, is used to store a user’s session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well.

IDE

1 year 24 days

Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.

yt.innertube::requests

never

YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

yt.innertube::nextId

never

YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

  • To provide and maintain our Service.
  • To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
  • For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
  • To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
  • To provide You with news, special offers and general information about services we offer, unless You have opted not to receive such information.
  • To manage Your requests: To attend and manage Your requests to Us.
  • To send You rewards: We may collect your Mailing Address by contacting You outside the app and by explaining the purpose, for example, for sending rewards based on Our loyalty programs.

We may share your personal information in the following situations:

  • With Service Providers: We may share Your personal information with Service Providers for connecting Your online financial accounts, fetching latest asset value, processing payments, monitoring usage, report bugs, customer support, email marketing and for targeting the Company’s promotional campaigns.
  • For Business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company.
  • With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honour this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.

The third-party processors/controllers that we work with are:

For UK 

Plaid Financial Limited New Penderel House 4th Floor, 283-288 High Holborn, London, United Kingdom, WC1V 7HP London, UK

privacy@plaid.com

Privacy Policy Terms of Service

 

Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of Your data and other personal information.

Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of Users of the Service or the public
  • Protect against legal liability

Security of Your Personal Data

The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Detailed Information on the Processing of Your Personal Data

Service Providers have access to Your Personal Data only to perform their tasks on Our behalf and are obligated not to disclose or use it for any other purpose.

Fetch latest asset value

The Users may link their bank accounts for the Service to automatically fetch their financial information. They may also provide their asset details to automatically fetch their latest price. We may use third-party Service providers to power the automatic fetching of account balances and asset values.

EOD Historical Data provides end of day and historical pricing on markets and FX globally.  EOD Historical Data does not rent, sell, or share personal information about You with other people or non-affiliated companies except to provide products or services. Their Privacy Policy can be viewed at  https://eodhistoricaldata.com/financial-apis/privacy-policy/  

Plaid provides account aggregation to top financial institutions.. Plaid collects and securely stores the credentials you share, such as User name and password. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed at  https://plaid.com/legal/#end-user-privacy-policy.

Stripe provides payment processing software and application programming interfaces for e-commerce websites and mobile applications.  Plaid collects and securely stores the credentials you share. This information is never stored by, or disclosed to, us. Their Privacy Policy can be viewed https://stripe.com/au/privacy

 

Analytics

We may use third-party Service providers to monitor and analyse the use of our Service.

Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.

You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js and dc.js) from sharing information with Google Analytics about visits activity.

For more information on the privacy practices of Google, please visit the Google Privacy Terms web page:  https://policies.google.com/privacy?hl=en

Email Marketing

We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us.

We may use Email Marketing Service Providers to manage and send emails to You.

Advertisements

Some Personal Data may be shared with advertising services in order to promote the Company’s brand and Services to Our target audience.

Payments

We may provide paid products and/or services within the Service. In that case, we may use third-party services for payment processing (e.g. payment processors).

We will not store or collect Your payment card details. That information is provided directly to Our third-party payment processors whose use of Your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

Stripe’s Privacy Policy can be viewed at https://stripe.com/us/privacy

Children’s Privacy

Our Service does not address anyone under the age of 18 unless You specifically provide details appointing any such individual as a beneficiary. We do not knowingly collect personally identifiable information from anyone under the age of 18. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 18 without verification of parental consent, We take steps to remove that information from Our servers.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party’s site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the “Last updated” date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Contact Us

If you have any questions about this Privacy Policy, You can contact us by email: support@myassets.com

 

Complaint

MyAssets Limited only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority. If you have an enquiry or complaint on Plaid, who is providing the regulated Account Information Service and is Authorised and Regulated by the Financial Conduct Authority under the Payment Services Regulations 2017 and Electronic Money Regulations 2011 (Firm Reference Number: 804718), you have to recourse to Plaid as our Principal, and further recourse to the Financial Ombudsman service (FOS). In the event that you have a complaint we cannot settle, you may be entitled to refer it to the Financial Ombudsman Service (FOS). Further information about the FOS is available from their website www.financial-ombudsman.org.uk. You may also submit a dispute for online resolution by using the European Commission Online Dispute Resolution Platform
at https://webgate.ec.europa.eu/odr/.

For UK and EU:

Plaid Financial Limited

New Penderel House 4th Floor, 283-288 High Holborn, London, United Kingdom, WC1V 7HP London, UK
privacy@plaid.com

Information Commissioner’s Office

Wycliffe House Water Lane Wilmslow
SK9 5AF

0303 123 1113

GDPR

GDPR

For our European users we can confirm that we comply with the European General Data Protection Regulation (“GDPR”) and UK Data Protection Act

  • Please see our Data Protection Impact Assessment  (“DPIA”) which demonstrates the measures we have taken to comply with our Data Protection obligations.

Step 1 – Identify the need for a DPIA.

MyAssets as a data controller for a web page and a mobile app that processes data directly from user accounts and also from the synchronisation of other platforms, such as banks and other financial institutions, is undertaking a DPIA in order to identify any areas of risk in the collection and processing of its user data.

MyAssets will be collecting personal data of data subjects who are citizens of the European Union (“EU”) and are based in the European Economic Area (“EEA”) in order to provide them with services through the MyAssets web and mobile app. It is therefore appropriate to use a DPIA to identify any risks associated with the collection, processing, transmission, retention, review and deletion of all personal data being collected for the purposes of providing a service to its users.

Step 2 – Data Processing.

Responsibilities and Standards Applicable to the Processing:

MyAssets is collecting personal data directly from its users when they create an account, including personal data of “beneficiaries”. Some data is collected when users synchronise 3rd party platforms (e.g. bank accounts, brokerages, crypto exchanges, etc) with their MyAssets account. This information may contain personal data, e.g. contents of bank statements and transaction histories, however it will not contain information such as bank account login information or sort codes and account numbers.

Some personal data is also collected from Google if the user decides to create a MyAssets account using an existing Google account. However, the data collected is limited to only that information MyAssets requests. This includes the users profile picture, name and email address. Given that Google routinely collects a large volume of personal data from users including date of birth, gender, email address and mobile phone number it is important to identify if all of this information is shared by Google with MyAssets. This does not appear to be the case at the moment however, MyAssets will monitor this.

The applicable standards are the European General Data Protection Regulation (“GDPR”) in relation to all personal data collected from EU citizens and associated implementing legislation, including the UK Data Protection Act 2018 (“DPA 18”). Furthermore, at the time of writing this assessment, the EU-US privacy shield has been ruled invalid by the Court of Justice of the European Union (“CJEU”). In the absence of the privacy shield, data controllers must rely on the presence of Standard Contractual Clauses (“SSC’s”) in all of their third party data processing agreements. Responsibility for ensuring compliance with all applicable standards rests with the directors of MyAssets.

Describe the Nature and Scope of the Processing:

MyAssets is processing the personal data of their users. This includes first name, last name, email address, password, profile picture and any information uploaded to the virtual “Data Vault”. This could include special category data including the users ID, passport, driving licence, share certificates and details of any possible investments or liabilities. We should also consider that users could upload highly sensitive special category data including details of divorce proceedings, child custody arrangements, court mandated division of estates and assets, wills and trusts, details of medical histories and potentially ongoing medical details relating to the dependents of the user and literally anything else that the user considers to be of sufficient importance to store on the system. This could inadvertently lead to the processing of data of dependents defined as children/minors under GDPR (defined under DPA 2018 as below the 13 years of age). To ensure that MyAssets does not collect and process the data of those who are defined as a minor under relevant law MyAssets has a short message on the page where the user inserts this information making it clear that information in relation to minors should not be inputted into the system.

MyAssets also processes the personal data of others, known as ‘beneficiaries’. These data subjects aren’t direct users of the app but their personal data is inputted by a direct user. This information is not verified by the beneficiary however, the direct users is prompted to make sure the information entered is correct. This is in case the user does not access their account for a lengthy period of time. In this situation, all of the data stored on the users account will then be sent to the beneficiary. It will be necessary to ensure that no minors are appointed as beneficiaries on the system for the same reasons as outlined above. In such an instance the user should appoint a partner, parent or legal adviser as the point of contact for any minors.

Personal data is processed solely for the purpose of providing the user with a modern-day wealth tracker and consequently it is necessary to ensure that when a user ceases to login to the app and use the services provided or choose to delete their account, that all processing of personal data of such user is ceased and deleted from MyAssets’s systems in line with its data retention policy.

Describe the Context and Purpose of the Processing:

Personal data of MyAssets users is collected and retained for the purposes of providing the user with a modern-day wealth tracker.

Personal data is shared with third parties by MyAssets solely for the purpose of facilitating the provision of the service.

Some personal data may be shared with advertising services in order to target and promote MyAssets’s own services and brand. However, MyAssets will not be sharing data of users who are citizens of the European Union (“EU”) and are based in the European Economic Area (“EEA”).

Personal data shared with third parties will not be subject to any onward data transfer either to additional third parties or third countries.

Step 3 – Types of Personal Data Collected.

Consultation Process:

MyAssets have facilitated the provision of information relating to the types of personal data collected during the operating of the MyAssets mobile app and website.

For the avoidance of doubt, the types of personal data collected include:

  • First name;
  • Last name;
  • Email address;
  • Password;
  • Phone number;
  • Profile image; and
  • Any information uploaded to the virtual “data vault” (including, but not limited to, the users ID, passport, driving license, share certificates and details of any possible investments or liabilities – this could include literally anything uploaded by the user).

 

Step 4 – Life Cycle of the Personal Data Collected.

Acquiring of Personal Data:

MyAssets acquire personal data in 2 ways, directly from the user through the MyAssets app or web page when the user sets up an account or via Google if the user chooses to create a MyAssets account using an existing Google account.

When a user downloads the MyAssets app or goes onto the MyAssets website the user is given 2 options on how they can create account – directly through the MyAssets app by entering their full name, email address and password, or through Google.

Data Processing:

In order to provide the service, MyAssets uses the following third parties who act as data processors: EOD Historical Data, OneTrust, Plaid, Stripe and Vezgo.

It is MyAssets’s responsibility to ensure that any third party data processors are processing the personal data of MyAssets’s users safely and securely. For this reason, MyAssets must ensure that Standard Contractual Clauses are in all of their third party processing agreements and that personal data is not retained on third party servers for longer than is necessary. MyAssets must also ensure that data processors do not share the personal data of MyAssets’s users with any other 3rd parties or third countries.

Data:

MyAssets’s severs are operated by Google Firebase Services (“Firebase”). All data collected and processed by MyAssets, including personal data, is stored on cloud based Firebase facilities in Germany.

By using Google servers in the US MyAssets is processing and transferring the personal data of EU citizens outside of the EEA. Previously, MyAssets could have relied on the EU-US privacy shield framework in order to facilitate the processing and transfer of EU personal data outside of the EEA however, due to the recent European court decision this framework is no longer valid. Therefore, MyAssets must ensure that Standard Contractual Clauses are in all of their third party processing agreements where the personal data of EU citizens is stored and processed outside of the EEA.

All data that is stored on MyAssets’s Google servers is encrypted using AES encryption at 256 bit. Other security measures such as 2 factor authentication is in place.

Personal data is retained on the system on the basis that if a user fails to continue to subscribe they will be moved onto a free subscription in order to allow them to return to the system and still have their data. If they cancel the subscription their data will only be retained for 90 days, unless they request otherwise, at which point it will be deleted.

Deletion of Data:

Deletion of data should take place in line with the data retention policy outlined above. Any specific programs or systems to be used in the deletion of data may be detailed here.

Assess the Necessity and Proportionality:

The personal data collected represented the totality of the personal data required from the user to deliver the service requested by the user. No additional data is acquired apart from the minimum necessary to provide the service. This is subject to the information acquired from a user’s Google account being limited solely to information that is necessarily required for the provision of the service. If Google were to provide any additional personal data over and above the profile and contact information detailed above, such as details of the users location and travel history based on mobile device GPS data, search history information or purchasing history, such information would constitute far more personal data than is strictly required for the provision of service to the user. Under the terms of GDPR controllers are encouraged to adopt the principles of data minimisation and only to collect the bare minimum of data required for the performance of the service.

Any data supplied to MyAssets through the data vault function is at the user’s discretion and at the user’s sole risk. Any data uploaded by a user is supplied on the implicit understanding that it could be disclosed in full to a beneficiary in the event of a user’s incapacity. Consequently, all users should have it made clear to them that any information they would not be comfortable sharing with a beneficiary should not be uploaded to the system.

Step 5 – Legal Basis for Processing such Personal data.

Under article 6 of GDPR MyAssets is acquiring and processing the personal data of users for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.  

Step 6 – Data Subject Rights.

Right of Access (under Article 15 of the GDPR):

All data subjects who are resident in the European Union and whose personal data is processed by MyAssets are entitled to make a subject access request regarding how their personal data is processed.

Under this right a data subject is entitled to receive details as to what items of their personal data are being processed and retained, the systems being used for this purpose and the basis upon which such systems are being used by MyAssets. A statutory 30 day deadline applies for MyAssets to respond to any Data Subject Access Request (“DSAR”) that may be received.

MyAssets has an option in the application that ensures that users are able to download a full copy of the personal data that MyAssets processes. This option is provided to the user via the webpage. Users can contact MyAssets should they have any issues accessing this system by writing to support@myassets.com. Their request will be responded to within the 30 day deadline.

Right to Rectification (under Article 16 of the GDPR):

Under GDPR data subjects are able to request that all personal data held by an organisation may be updated and corrected as necessary.

While the personal data collected by MyAssets is primarily supplied at the point of registration as a new user, or in the process of using the app, it is important that the user retains the right to be able to change any of this information during their lifetime as a user of the MyAssets app. It currently appears to be the case that a user has the ability to change or update any of their personal information via the settings in the app. It is important that the feature is retained.

Right to Erasure (under Article 17 of the GDPR):

Each data subject has the right under GDPR to request that their personal data can be erased and in effect be “forgotten” by a data controller or processor. In making such a request the data subject will except that their personal data is deleted from all relevant systems such as user accounts, marketing information, any third party processing and any long term data retention. Under the right to erasure a data subject has the statutory right to expect this to be undertaken within 30 days.

In practice it is common for some personal data of the data subject to be maintained for professional or regulatory purposes, for example in order to guard against a professional conflict of interest or in order to comply with statutory limitation. However, in this instance it is difficult to envisage a scenario where any personal data relating to a data subject making a request under the right to erasure should be retained by MyAssets.

Consequently it will be necessary to ensure that a suitably robust system is in place to ensure that any such requests made by a data subject may be processed within 30 days and to ensure that their data is securely eradicated from all MyAssets systems including marketing email communications, server backups and any third party data processing.

Data subjects resident in the European Union have the right to exercise the erasure of their personal data from MyAssets’s systems. Part of this process can be completed by the user themselves via MyAssets settings. To make sure there is no more data saved in the backups, they can contact MyAssets and facilitate a request under the right to erasure and  MyAssets has 30 days in which to comply.

Right to Restriction of Processing (under Article 18 of the GDPR):

Each data subject resident in the EU has the right to request that MyAssets as data controller shall restrict the processing of personal data in the event that the accuracy of any personal data is contested, where the processing may be unlawful, where MyAssets no longer needs the personal data to supply its service or where the data subject has objected to the processing of the personal data. In the event of such a restriction being exercised by a data subject, the processing of personal data would only be able to recommence with the consent of the data subject.

Consequently, it is important that, as with the right to erasure, MyAssets has the ability to identify individual personal data records and restrict the processing of such data in the event if such a request by the data subject.

All data subjects resident in the EU has the right under GDPR to request a restriction of processing by writing to support@myassets.com.

Right to Data Portability (under Article 20 of the GDPR):

Data subjects located in the EU are entitled to a right to receive a copy of the personal data that they have provided to MyAssets or to request that their data be transmitted to another data controller on the condition that their personal data is being processed on the basis of consent or pursuant to a contract. As identified at step 5 of this assessment, MyAssets is processing the personal data of its users for the performance of a contract to which the data subject is party to therefore users of MyAssets have the right to data portability.

Consequently, the MyAssets privacy policy must identify that all data subjects resident in the EU has the right under GDPR to request a portable copy of their information to and provide a means for data subjects to be able to contact MyAssets and facilitate such a request.

Step 7 – Risks Associated for MyAssets

Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary:

Likelihood of harm (remote, possible or probable),severity of harm (minimal, significant or severe) and overall risk:

Measures currently in place to mitigate risks associated with the processing:

1. The inadvertent disclosure of account access to beneficiaries where for whatever reason the user has failed to respond to reminders but is not incapacitated but for some reason may not have the ability to get online or login to their account. Users are only given a period of 10 days to check in and confirm they are “okay” which is considered to be a short period of time (probable).

Users of the MyAssets system are informed about the disclosure process, including the flow of data from the users account to the beneficiaries, from the offset using a clear flowchart.

 

 

2. The system is at risk of being subject to a cyber-attack including Denial of Service (possible).

MyAssets periodically audits their infrastructure for any security issues. Any security issues found will be fixed/patched as soon as is reasonably possible.

MyAssets use Google Cloud Armor to detect and monitor incidents that may impact the security of their assets, for example malicious activity and unauthorised behaviour.

MyAssets prevents access to user assets by using Google Identity and Access Management (“IAM”).  
All employees of MyAssets are given training on cyber security principles.

Backups of the main server are taken regularly.
Access to user data is limited to a small number of employees.

Passwords on corporate accounts, for example the corporate google accounts that can be used to access the main Google server, are changed frequently. 2 factor authentication is also applied where possible.

It is advised to implement advanced persistent threat detection system to track user behaviour and potential attempts at unauthorised access such as Distributed Denial of Service (“DDOS”). This can be considered a lower priority to be implemented once the system has a high volume of daily users and presents a more valuable target to cyber criminals.

3. As part of this exercise MyAssets explained that they do not view any of the personal data that is connected to the users account or is stored in the user’s data vault. However, for the avoidance of doubt it is necessary to confirm the security measures that are in place to ensure that no MyAssets employee is in the position to access any personal data stored by MyAssets or any of the accounts that the user has synchronised with their MyAssets account (probable).

Database administrators have access to the database encryption keys and therefore can view any user data that is processed and retained by MyAssets on their systems. This is because there is no end-to-end encryption. However, internal tools are in place to ensure that all personally identifiable information viewed by operational staff is masked. This still means that an employee of MyAssets could access an users personal data however, access to the servers where data is stored is given on a need-to-know basis and is limited to a small number of employees.

If an employee does need to access user data for any such reason, for example routine server maintenance, debugging etc, they are required to state a valid reason for that specific access session.

An audit trail/record is maintained for all data access sessions which are reviewed periodically.

Advise is given to users informing them that they should not store any information that is highly risky when fallen into the wrong hands, for example passwords, credit card numbers, crypto wallet private keys, etc.

4. The risk of a MyAssets employee being able to access and potentially distribute (intentionally or unintentionally) any user account login and password information (probable)

User accounts are managed through Google. Therefore, MyAssets employees do not have access to any user account passwords.

5. The risk of the synchronisation of the user’s financial accounts that are linked with their MyAssets account being compromised by a malicious third party (possible).

MyAssets risk of the synchronisation of the user’s financial accounts that are linked with their MyAssets account being compromised by a malicious third party (possible).

6. The risk of a data breach by any third parties acting as data processors (possible).

MyAssets ensures valid contracts are in place with all third party data processors. Regularly checks for any updated terms, any change as to legal status of third party (e.g. takeover/buyout) or any other substantial variation in service.

Institute regular coordination with third party processors e.g. half yearly or quarterly management calls to review operations, receive updates on any legislative or security changes and to feedback any issues or problems that may have occurred on the MyAssets side.

7. The risk of users being overseen when accessing the app or web page (probable).

Establish a code or guide for MyAssets users bringing to their attention possible risks as to how and where they access the app.

1. Do not use free public Wi-Fi when the accessing the app or web page.

2. When accessing the app or web page via a new Wi-Fi system for the first time (e.g. hotel or airport) consider access via a VPN.

3. Do not access the app or web page when travelling on public transport or in a crowded area where the device screen may be overseen. Consider the purchase and use of a privacy screen for your mobile device.

4. Ensure the security of your mobile device when used at home by putting all of your personal devices as well as important home systems such as digital media, TV and IOT on a secure password protected home network partitioned from a separate quest network provided to guests when requested.

5. Ideally access the app or web page using a secure 4G or 5G data connection for safe and speedy use.

6. The users are advised that due to the sensitivity of the data held by MyAssets and accessed via the app that users may wish to ensure they dispose of their mobile devices securely rather than passing them to friends or family members or donating them due to the risk of inadvertent access to the system by an unauthorised user

8. The risk of beneficiary information not being up to date, which could mean that user data remains on the server after all of the multiple reminders have been exhausted in which it is essential that the “longstop” deletion of data after 1 year and 1 month is confirmed as being effective (probable).

An email/notification is sent to the user each year prompting them to confirm their information. This includes confirming that the contact details of their beneficiaries is accurate.

9. It is a significant risk that if a user has access to the app on a mobile device and passes the use of that device temporarily or permanently to another user, that user may be able to gain access to the account (probable).

The users are advised that due to the sensitivity of the data held by MyAssets and accessed via the app that users may wish to ensure they dispose of their mobile devices securely rather than passing them to friends or family members or donating them due to the risk of inadvertent access to the system by an unauthorised user

10. Contrary to the principles of necessity, proportionality and data minimisation, Google may be sharing more information with MyAssets than is strictly necessary for the provision of services to the users such as GPS location data, search histories, subscriptions or purchase histories. The provision of any such data by Google would be far in excess of the personal data required from a Google account (remote).

MyAssets only obtains basic information from Google, i.e. email address, name and profile photo.

11. The risk that backups are not being taken regularly (remote).
Automated backups are taken. This process is managed by Google.
12. The risk that backups are not being regularly tested for effectiveness (probable).

It is advised as to the importance of ensuring an independent third party backup of the system is available for MyAssets to access and utilise independently of the Google system. This is to protect MyAssets from any outage in Google provision. While this may appear unlikely it still remains a significant risk. While MyAssets appreciates the risk, the difficulty in facilitating an independent backup means that this is a goal that MyAssets will work towards after the first 12 months of operation once resources are available in order to arrange such a facility.

13. The risk that backups are not being taken on secure system totally separate from the Google primary infrastructure (probable).
Backups are stored on Google servers located in multiple geographically distant zones and are encrypted using AES-256 bit encryption.
14. The risk that backup is operated outside of the data retention policy outlined above (possible).
Backup and log files are configured to rotate every 30 days. MyAssets constantly verify that this process is working as expected.
15. For the avoidance, in the absence of the EU-US privacy shield it is necessary to ensure that all contracts with data processors on behalf of MyAssets contain the necessary Standard Contractual Clauses (“SCC’s”).
Ensuring that all third parties undertaking any data processing on behalf of MyAssets has valid contracts in place containing the necessary Standard Contractual Clauses that allow for the processing of the personal data of EU citizens. Furthermore, the SCC’s will be changed by the EU and it will be necessary to ensure all relevant contracts contain the correct updated and valid SCC’s.
16. Reviewing and updating any third party processor contracts to ensure they contain the appropriate updated SCC’s. The European Union has confirmed its intention to update SCC’s.
Maintaining a watching brief for publication of new updated SCC’s by the European Union.