Last updated: September 10, 2020
Please read these terms and conditions carefully before using Our Service.
The words of which the initial letter is capitalized have meanings defined under the following conditions.
The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
For the purposes of these Terms and Conditions:
These are the Terms and Conditions governing the use of this Service and the agreement that operates between You and the Company. These Terms and Conditions set out the rights and obligations of all users regarding the use of the Service.
Your access to and use of the Service is conditioned on Your acceptance of and compliance with these Terms and Conditions. These Terms and Conditions apply to all visitors, users and others who access or use the Service.
By accessing or using the Service You agree to be bound by these Terms and Conditions. If You disagree with any part of these Terms and Conditions then You may not access the Service.
The Service or some parts of the Service are available only with a paid Subscription. You will be billed in advance on a recurring and periodic basis (monthly or annually), depending on the type of Subscription plan you select when purchasing the Subscription.
At the end of each period, Your Subscription will automatically renew under the exact same conditions unless You cancel it or the Company cancels it.
You may cancel Your Subscription renewal either through Your Account settings page or by contacting the Company.
You will not receive a refund for the fees You already paid for Your current Subscription period and You will be able to access the Service until the end of Your current Subscription period.
You shall provide the Company with accurate and complete billing information including full name, address, state, zip code, telephone number, and a valid payment method information.
Should automatic billing fail to occur for any reason, the Company will issue an electronic invoice indicating that you must proceed manually, within a certain deadline date, with the full payment corresponding to the billing period as indicated on the invoice.
The Company, in its sole discretion and at any time, may modify the Subscription fees. Any Subscription fee change will become effective at the end of the then-current Subscription period.
The Company will provide You with reasonable prior notice of any change in Subscription fees to give You an opportunity to terminate Your Subscription before such change becomes effective.
Your continued use of the Service after the Subscription fee change comes into effect constitutes Your agreement to pay the modified Subscription fee amount.
Except when required by law, paid Subscription fees are non-refundable.
Certain refund requests for Subscriptions may be considered by the Company on a case-by-case basis and granted at the sole discretion of the Company.
The Company may, at its sole discretion, offer a Subscription with a Free trial for a limited period of time.
You may be required to enter Your billing information in order to sign up for the Free trial.
If You do enter Your billing information when signing up for a Free Trial, You will not be charged by the Company until the Free trial has expired. On the last day of the Free Trial period, unless You cancelled Your Subscription, You will be automatically charged the applicable Subscription fees for the type of Subscription You have selected.
At any time and without notice, the Company reserves the right to (i) modify the terms and conditions of the Free Trial offer, or (ii) cancel such Free trial offer.
Any Promotions made available through the Service may be governed by rules that are separate from these Terms.
When You create an account with Us, You must provide Us information that is accurate, complete, and current at all times. Failure to do so constitutes a breach of the Terms, which may result in immediate termination of Your account on Our Service.
You are responsible for safeguarding the password that You use to access the Service and for any activities or actions under Your password, whether Your password is with Our Service or a Third-Party Social Media Service.
You agree not to disclose Your password to any third party. You must notify Us immediately upon becoming aware of any breach of security or unauthorized use of Your account.
You may not use as a username the name of another person or entity or that is not lawfully available for use, a name or trademark that is subject to any rights of another person or entity other than You without appropriate authorization, or a name that is otherwise offensive, vulgar or obscene.
Your Right to Post Content
Our Service allows You to post Content. You are responsible for the Content that You post to the Service, including its legality, reliability, and appropriateness.
You represent and warrant that: (i) the Content is Yours (You own it) or You have the right to use it, and (ii) the posting of Your Content on or through the Service does not violate the privacy rights, publicity rights, copyrights, contract rights or any other rights of any person.
The Company is not responsible for the content of the Service's users. You expressly understand and agree that You are solely responsible for the Content and for all activity that occurs under your account, whether done so by You or any third person using Your account.
You may not transmit any Content that is unlawful, offensive, upsetting, intended to disgust, threatening, libelous, defamatory, obscene or otherwise objectionable. Examples of such objectionable Content include, but are not limited to, the following:
The Company reserves the right, but not the obligation, to, in its sole discretion, determine whether or not any Content is appropriate and complies with this Terms, refuse or remove this Content. The Company further reserves the right to make formatting and edits and change the manner any Content. The Company can also limit or revoke the use of the Service if You post such objectionable Content.
As the Company cannot control all content posted by users and/or third parties on the Service, you agree to use the Service at your own risk. You understand that by using the Service You may be exposed to content that You may find offensive, indecent, incorrect or objectionable, and You agree that under no circumstances will the Company be liable in any way for any content, including any errors or omissions in any content, or any loss or damage of any kind incurred as a result of your use of any content.
Although regular backups of Content are performed, the Company does not guarantee there will be no loss or corruption of data.
Corrupt or invalid backup points may be caused by, without limitation, Content that is corrupted prior to being backed up or that changes during the time a backup is performed.
The Company will provide support and attempt to troubleshoot any known or discovered issues that may affect the backups of Content. But You acknowledge that the Company has no liability related to the integrity of Content or the failure to successfully restore Content to a usable state.
You agree to maintain a complete and accurate copy of any Content in a location independent of the Service.
Intellectual Property Infringement
We respect the intellectual property rights of others. It is Our policy to respond to any claim that Content posted on the Service infringes a copyright or other intellectual property infringement of any person.
If You are a copyright owner, or authorized on behalf of one, and You believe that the copyrighted work has been copied in a way that constitutes copyright infringement that is taking place through the Service, You must submit Your notice in writing to the attention of our copyright agent via email at firstname.lastname@example.org and include in Your notice a detailed description of the alleged infringement.
You may be held accountable for damages (including costs and attorneys' fees) for misrepresenting that any Content is infringing Your copyright.
DMCA Notice and DMCA Procedure for Copyright Infringement Claims
You may submit a notification pursuant to the Digital Millennium Copyright Act (DMCA) by providing our Copyright Agent with the following information in writing (see 17 U.S.C 512(c)(3) for further detail):
You can contact our copyright agent via email at email@example.com.
Upon receipt of a notification, the Company will take whatever action, in its sole discretion, it deems appropriate, including removal of the challenged content from the Service.
Kubera® is a registered trademark of the Company, in the United States of America.
All company, product and service names, logos, and brands used in this website are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
The Service and its original content (excluding Content provided by You or other users), features and functionality are and will remain the exclusive property of the Company and its licensors.
The Service is protected by copyright, trademark, and other laws of both the Country and foreign countries.
Our trademarks and trade dress may not be used in connection with any product or service without the prior written consent of the Company.
You assign all rights, title and interest in any Feedback You provide the Company. If for any reason such assignment is ineffective, You agree to grant the Company a non-exclusive, perpetual, irrevocable, royalty free, worldwide right and licence to use, reproduce, disclose, sub-licence, distribute, modify and exploit such Feedback without restriction.
Our Service may contain links to third-party web sites or services that are not owned or controlled by the Company.
The Company has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that the Company shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods or services available on or through any such web sites or services.
We strongly advise You to read the terms and conditions and privacy policies of any third-party web sites or services that You visit.
We may terminate or suspend Your Account immediately, without prior notice or liability, for any reason whatsoever, including without limitation if You breach these Terms and Conditions.
Upon termination, Your right to use the Service will cease immediately. If You wish to terminate Your Account, You may simply discontinue using the Service.
Notwithstanding any damages that You might incur, the entire liability of the Company and any of its suppliers under any provision of this Terms and Your exclusive remedy for all of the foregoing shall be limited to the amount actually paid by You through the Service or 100 USD if You haven't purchased anything through the Service.
To the maximum extent permitted by applicable law, in no event shall the Company or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, but not limited to, damages for loss of profits, loss of data or other information, for business interruption, for personal injury, loss of privacy arising out of or in any way related to the use of or inability to use the Service, third-party software and/or third-party hardware used with the Service, or otherwise in connection with any provision of this Terms), even if the Company or any supplier has been advised of the possibility of such damages and even if the remedy fails of its essential purpose.
Some states do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages, which means that some of the above limitations may not apply. In these states, each party's liability will be limited to the greatest extent permitted by law.
The Service is provided to You "AS IS" and "AS AVAILABLE" and with all faults and defects without warranty of any kind. To the maximum extent permitted under applicable law, the Company, on its own behalf and on behalf of its Affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Service, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice. Without limitation to the foregoing, the Company provides no warranty or undertaking, and makes no representation of any kind that the Service will meet Your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.
Without limiting the foregoing, neither the Company nor any of the company's provider makes any representation or warranty of any kind, express or implied: (i) as to the operation or availability of the Service, or the information, content, and materials or products included thereon; (ii) that the Service will be uninterrupted or error-free; (iii) as to the accuracy, reliability, or currency of any information or content provided through the Service; or (iv) that the Service, its servers, the content, or e-mails sent from or on behalf of the Company are free of viruses, scripts, trojan horses, worms, malware, timebombs or other harmful components.
Some jurisdictions do not allow the exclusion of certain types of warranties or limitations on applicable statutory rights of a consumer, so some or all of the above exclusions and limitations may not apply to You. But in such a case the exclusions and limitations set forth in this section shall be applied to the greatest extent enforceable under applicable law.
The laws of the Country, excluding its conflicts of law rules, shall govern this Terms and Your use of the Service. Your use of the Application may also be subject to other local, state, national, or international laws.
If You have any concern or dispute about the Service, You agree to first try to resolve the dispute informally by contacting the Company.
If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in.
If You are a U.S. federal government end user, our Service is a "Commercial Item" as that term is defined at 48 C.F.R. §2.101.
You represent and warrant that (i) You are not located in a country that is subject to the United States government embargo, or that has been designated by the United States government as a “terrorist supporting” country, and (ii) You are not listed on any United States government list of prohibited or restricted parties.
If any provision of these Terms is held to be unenforceable or invalid, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.
Except as provided herein, the failure to exercise a right or to require performance of an obligation under this Terms shall not effect a party's ability to exercise such right or require such performance at any time thereafter nor shall be the waiver of a breach constitute a waiver of any subsequent breach.
These Terms and Conditions may have been translated if We have made them available to You on our Service.
You agree that the original English text shall prevail in the case of a dispute.
We reserve the right, at Our sole discretion, to modify or replace these Terms at any time. If a revision is material We will make reasonable efforts to provide at least 30 days' notice prior to any new terms taking effect. What constitutes a material change will be determined at Our sole discretion.
By continuing to access or use Our Service after those revisions become effective, You agree to be bound by the revised terms. If You do not agree to the new terms, in whole or in part, please stop using the website and the Service.
If you have any questions about these Terms and Conditions, You can contact us by email firstname.lastname@example.org.
Last updated: Mar 5, 2021
The words of which the initial letter is capitalized have meanings defined under the following conditions.
The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.
While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:
Usage Data is collected automatically when using the Service.
Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.
Tracking Technologies and Cookies
You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service.
Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close your web browser.
We use both session and persistent Cookies for the purposes set out below:
Necessary / Essential Cookies
Type: Session Cookies
Administered by: Us
Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.
Cookies Policy / Notice Acceptance Cookies
Type: Persistent Cookies
Administered by: Us
Type: Persistent Cookies
Administered by: Us
Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.
Tracking and Performance Cookies
Type: Persistent Cookies
Administered by: Third-Parties
Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new advertisements, pages, features or new functionality of the Website to see how our users react to them.
The Company may use Personal Data for the following purposes:
We may share your personal information in the following situations:
The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.
Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.
Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.
Service Providers have access to Your Personal Data only to perform their tasks on Our behalf and are obligated not to disclose or use it for any other purpose.
Fetch latest asset value
The Users may link their bank, brokerage, crypto wallet accounts for the Service to automatically fetch their financial information. They may also provide their house address, car's VIN or domain names to automatically fetch their latest price. We may use third-party Service providers to power the automatic fetching of account balances and asset values.
We may use third-party Service providers to monitor and analyze the use of our Service.
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en
We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us.
We may use Email Marketing Service Providers to manage and send emails to You.
Some Personal Data may be shared with advertising services in order to promote the Company's brand and Services to Our target audience.
We may provide paid products and/or services within the Service. In that case, we may use third-party services for payment processing (e.g. payment processors).
Accessing the Service through Our 'White-Label Customers'
If You are accessing the Service through such 'White Label Customer', they may be able to access, add, edit and retain information shown on your portfolio. However, they will not be able to access information regarding your bank/brokerage/crypto account credentials unless you provide them such assess or they access it through other means.
'White Label Customers' may also be able to suspend or terminate your account access.
Our Service does not address anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under the age of 18. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 18 without verification of parental consent, We take steps to remove that information from Our servers.
We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.
Last updated: November 4, 2020
For our European users we can confirm that we comply with the European General Data Protection Regulation (“GDPR”). Please see our Data Protection Impact Assessment (“DPIA”) which demonstrates the measures we have taken to comply with our Data Protection obligations.
Step 1 – Identify the need for a DPIA.
Kubera as a data controller for a web page (and potentially a mobile app in the future) that processes data directly from user accounts and also from the synchronisation of other platforms, such as banks and other financial institutions, is undertaking a DPIA in order to identify any areas of risk in the collection and processing of its user data.
Kubera will be collecting personal data of data subjects who are citizens of the European Union (“EU”) and are based in the European Economic Area (“EEA”) in order to provide them with services through the Kubera web and mobile app. It is therefore appropriate to use a DPIA to identify any risks associated with the collection, processing, transmission, retention, review and deletion of all personal data being collected for the purposes of providing a service to its users.
Step 2 – Data Processing.
Responsibilities and Standards Applicable to the Processing:
Kubera is collecting personal data directly from its users when they create an account, including personal data of “beneficiaries” and “trusted angels”. Some data is collected when users synchronise 3rd party platforms (e.g. bank accounts, brokerages, crypto exchanges, etc) with their Kubera account. This information may contain personal data, e.g. contents of bank statements and transaction histories, however it will not contain information such as bank account login information or sort codes and account numbers.
Some personal data is also collected from Google if the user decides to create a Kubera account using an existing Google account. However, the data collected is limited to only that Kubera requests. This includes the users profile picture, name and email address. Given that Google routinely collects a large volume personal data from users including date of birth, gender, email address and mobile phone number it is important to identify if all of this information is shared by Google with Kubera. This does not appear to be the case at the moment however, Kubera will monitor this.
The applicable standards are the European General Data Protection Regulation (“GDPR”) in relation to all personal data collected from EU citizens and associated implementing legislation, including the UK Data Protection Act 2018 (“DPA’18”). As personal data is being stored on infrastructure located in the United States reference may be made to the California Consumer Privacy Act. Furthermore, at the time of writing this assessment, the EU-US privacy shield has been ruled invalid by the Court of Justice of the European Union (“CJEU”). In the absence of the privacy shield, data controllers must rely on the presence of Standard Contractual Clauses (“SSC’s”) in all of their third party data processing agreements. Responsibility for ensuring compliance with all applicable standards rests with the directors of Kubera.
Describe the Nature and Scope of the Processing:
Kubera is processing the personal data of their users. This includes first name, last name, email address, password, profile picture and any information uploaded to the virtual “safe deposit box”. This could include special category data including the users ID, passport, driving license, share certificates and details of any possible investments or liabilities. We should also consider that users could upload highly sensitive special category data including details of divorce proceedings, child custody arrangements, court mandated division of estates and assets, wills and trusts, details of medical histories and potentially ongoing medical details relating to the dependents of the user and literally anything else that the user considers to be of sufficient importance to store on the system. This could inadvertently lead to the processing of data of dependents defined as children/minors under GDPR (defined under DPA’18 as below the 13 years of age). To ensure that Kubera does not collect and process the data of those who are defined as a minor under relevant law Kubera has a short message on the page where the user inserts this information making it clear that information in relation to minors should not be inputted into the system.
Kubera also processes the personal data of others, known as “beneficiaries” or “trusted angels”. These data subjects aren’t direct users of the app but their personal data is inputted by a direct user. This information is not verified by the beneficiary and/or trusted angel however, the direct users is prompted to make sure the information entered is correct. This is in case the user does not access their account for a lengthy period of time. In this situation, all of the data stored on the users account will then be sent to the beneficiary or trusted angel. It will be necessary to ensure that no minors are appointed as beneficiaries or trusted angels on the system for the same reasons as outlined above.
Personal data is processed solely for the purpose of providing the user with a modern-day wealth tracker and consequently it is necessary to ensure that when a user ceases to login to the app and use the services provided or choose to delete their account, that all processing of personal data of such user is ceased and deleted from Kubera’s systems in line with their data retention policy.
Describe the Context and Purpose of the Processing:
Personal data of Kubera users is collected and retained for the purposes of providing the user with a modern-day wealth tracker.
Personal data is shared with third parties by Kubera solely for the purpose of facilitating the provision of the service.
Some personal data may be shared with advertising services in order to target and promote Kubera's own services and brand. However, Kubera will not be sharing data of users who are citizens of the European Union (“EU”) and are based in the European Economic Area (“EEA”).
Personal data shared with third parties will not be subject to any onward data transfer either to additional third parties or third countries.
Step 3 – Types of Personal Data Collected.
In a series of meetings the co-founders of Kubera have facilitated the provision of information relating to the types of personal data collected during the operating of the Kubera mobile app and web page.
For the avoidance of doubt, the types of personal data collected include:
Step 4 – Life Cycle of the Personal Data Collected.
Acquiring of Personal Data:
Kubera acquire personal data in 2 ways, directly from the user through the Kubera app or web page when the user sets up an account or via Google if the user chooses to create a Kubera account using an existing Google account.
When a user downloads the Kubera app or goes onto the Kubera website the user is given 2 options on how they can create account – directly through the Kubera app by entering their full name, email address and password, or through Google.
In order to provide the service, Kubera use the following third parties who act as data processors: AWS, Zabo, Yodlee, Plaid, Salt Edge, Log Rocket, Sentry, Help Scout, Google Analytics, Mail Chimp and Facebook.
It is Kubera’s responsibility to ensure that any third party data processors are processing the personal data of Kubera’s users safely and securely. For this reason, Kubera must ensure that Standard Contractual Clauses are in all of their third party processing agreements and that personal data is not retained on third party servers for longer than is necessary. Kubera must also ensure that data processors do not share the personal data of Kubera’s users with any other 3rd parties or third countries.
Kubera’s severs are operated by Amazon Web Services (“AWS”). All data collected and processed by Kubera, including personal data, is stored on AWS facilities in North Virginia, US.
By using AWS servers in the US Kubera is processing and transferring the personal data of EU citizens outside of the EEA. Previously, Kubera could have relied on the EU-US privacy shield framework in order to facilitate the processing and transfer of EU personal data outside of the EEA however, due to the recent European court decision this framework is no longer valid. Therefore, Kubera must ensure that Standard Contractual Clauses are in all of their third party processing agreements where the personal data of EU citizens is stored and processed outside of the EEA.
All data that is stored on Kubera’s AWS servers is encrypted using AES encryption at 256 bit. Other security measures such as 2 factor authentication is in place.
Backup servers – Kubera to confirm details of the provision, location and security measures in place on the backup system along with the testing regime operated to validate the integrity of the backups that are taken.
Personal data is retained on the system on the basis that if a user fails to login to the system for a period of 45 days (or as set by the user) a series of 5 reminder emails/notifications, known as the “Life Beat Check”, will be sent to the user. These emails will contain a link/button that the user can click on and say “I’m okay”. The user is not required to login to their Kubera account. Just clicking on the link and visiting a webpage is enough to reset the “inactive timer”. In the event that all 5 reminders, sent over a period of 10 days, are unanswered the beneficiaries and/or trusted angels would be contacted via email and supplied with a copy of the users data in a downloadable format. As a final “longstop”, 12 months after the last user activity on the account a further reminder will be sent to the user and/or beneficiaries/trusted angels and in the event of no response after a period of an additional month (30 days) the user account will then be deleted from Kubera’s systems including backups in its entirety.
Deletion of Data:
Deletion of data should take place in line with the data retention policy outlined above. Any specific programs or systems to be used in the deletion of data may be detailed here.
Assess the Necessity and Proportionality:
The personal data collected represented the totality of the personal data required from the user to deliver the service requested by the user. No additional data is acquired apart from the minimum necessary to provide the service. This is subject to the information acquired from a user’s Google account being limited solely to information that is necessarily required for the provision of the service. If Google were to provide any additional personal data over and above the profile and contact information detailed above, such as details of the users location and travel history based on mobile device GPS data, search history information or purchasing history, such information would constitute far more personal data than is strictly required for the provision of service to the user. Under the terms of GDPR controllers are encouraged to adopt the principles of data minimisation and only to collect the bare minimum of data required for the performance of the service.
Any data supplied to Kubera through the safe deposit box function is at the users discretion. Any data uploaded by a user is supplied on the implicit understanding that it could be disclosed in full to a beneficiary or trusted angel in the event of a user’s incapacity. Consequently, all users should have it made clear to them that any information they would not be comfortable sharing with a beneficiary or trusted angel should not be uploaded to the system.
Step 5 – Legal Basis for Processing such Personal data.
Under article 6 of GDPR Kubera is acquiring and processing the personal data of users for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Step 6 – Data Subject Rights.
Right of Access (under Article 15 of the GDPR):
All data subjects who are resident in the European Union and whose personal data is processed by Kubera are entitled to make a subject access request regarding how their personal data is processed.
Under this right a data subject is entitled to receive details as to what items of their personal data are being processed and retained, the systems being used for this purpose and the basis upon which such systems are being used by Kubera. A statutory 30 day deadline applies for Kubera to respond to any Data Subject Access Request (“DSAR”) that may be received.
Kubera has an option in the application that ensures that users are able to download a full copy of the personal data that Kubera processes. This option is provided to the user via the webpage. Users can contact Kubera should they have any issues accessing this system by writing to email@example.com. Their request will responded to within the 30 day deadline.
Right to Rectification (under Article 16 of the GDPR):
Under GDPR data subjects are able to request that all personal data held by an organisation may be updated and corrected as necessary.
While the personal data collected by Kubera is primarily supplied at the point of registration as a new user, or in the process of using the app, it is important that the user retains the right to be able to change any of this information during their life time as a user of the Kubera app. It currently appears to be the case that a user has the ability to change or update any of their personal information via the settings in the app. It is important that the feature is retained.
Right to Erasure (under Article 17 of the GDPR):
Each data subject has the right under GDPR to request that their personal data can be erased and in effect be “forgotten” by a data controller or processor. In making such a request the data subject will except that their personal data is deleted from all relevant systems such as user accounts, marketing information, any third party processing and any long term data retention. Under the right to erasure a data subject has the statutory right to expect this to be undertaken within 30 days.
In practice it is common for some personal data of the data subject to be maintained for professional or regulatory purposes, for example in order to guard against a professional conflict of interest or in order to comply with statutory limitation. However, in this instance it is difficult envisage a scenario where any personal data relating to a data subject making a request under the right to erasure should be retained by Kubera.
Consequently it will be necessary to ensure that a suitably robust system is in place to ensure that any such requests made by a data subject may be processed within 30 days and to ensure that their data is securely eradicated from all Kubera systems including marketing email communications, server backups and any third party data processing.
Data subjects resident in the European Union have the right to exercise the erasure of their personal data from Kubera’s systems. Part of this process can be completed by the user themselves via Kubera settings. To make sure there is no more data saved in the backups, they can contact Kubera and facilitate a request under the right to erasure and Kubera has 30 days in which to comply.
Right to Restriction of Processing (under Article 18 of the GDPR):
Each data subject resident in the EU has the right to request that Kubera as data controller shall restrict the processing of personal data in the event that the accuracy of any personal data is contested, where the processing may be unlawful, where Kubera no longer needs the personal data to supply its service or where the data subject has objected to the processing of the personal data. In the event of such as restriction being exercised by a data subject, the processing of personal data would only be able to recommence with the consent of the data subject.
Consequently, it is important that, as with the right to erasure, Kubera has the ability to identify individual personal data records and restrict the processing of such data in the event if such a request by the data subject.
All data subjects resident in the EU has the right under GDPR to request a restriction of processing by writing to firstname.lastname@example.org.
Right to Data Portability (under Article 20 of the GDPR):
Data subjects located in the EU are entitled to a right to receive a copy of the personal data that they have provided to Kubera or to request that their data be transmitted to another data controller on the condition that their personal data is being processed on the basis of consent or pursuant to a contract. As identified at step 5 of this assessment, Kubera is processing the personal data of its users for the performance of a contract to which the data subject is party to therefore users of Kubera have the right to data portability.
Step 7 – Risks Associated with the Processing.