Privacy Policy

Effective Date: August 23, 2019

1. Introduction.

This Privacy Policy describes how DriveWealth, LLC (hereinafter “DriveWealth” “we” or “us”) needs to collect, use, disclose, transfer, store, retain, or otherwise process your Personal Data in order to service your account maintained at DriveWealth. This Privacy Policy, along with guidelines for processing of Personal Data, constitutes the overall framework for how we process your Personal Data within DriveWealth.

2. Information We Collect.

DriveWealth will collect personal information from you to establish your account pursuant to U.S. Securities Laws and to confirm your identity. The type of information we collect about you can vary depending on the country from which you access our services and the relationship that we maintain with your Introducing Broker or Investment Advisor. Generally, we may collect the following information in order to establish, maintain, and service your Account at DriveWealth:

  • Personal Identification Information. Your full legal name; address; date of birth; Tax ID, Social Security, or other government issued identification number.

  • Financial Information. Such as your bank account information, income, and net worth.

  • Tax Information. For purposes of establishing proper withholding and allowances and tax filing status; in the case of non-U.S. Customers, we need this information to complete your W-8BEN with the IRS.

  • Transaction Information. Pursuant to applicable law, we keep official books and records on all transactions which are conducted in your account, including trades, deposits, and withdrawals.

  • Other Information. There may be instances where we request additional information in order to properly service your account and/or provide our services to your introducing broker or investment advisor pursuant to applicable law.

We also collect information about you from other third-party sources for various purposes including, but not limited to:

  • Identity Verification Services. DriveWealth uses a third-party service to assist in making a good verification on your identity in accordance with U.S. regulations.

  • Background information. We may obtain background reports on you from publicly available records as part of our verification procedures.

3. Personal Data.

Personal Data” is any information which may be related to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, location data, phone number, age, gender, an employee, a job applicant, clients, suppliers and other business partners. This also includes special categories of Personal Data (sensitive Personal Data) and confidential information such as health information, account number, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Although information regarding companies/businesses is not considered Personal Data, please note that information relating to contacts within such companies/businesses, e.g. name, title, work email, work phone number, etc. is considered Personal Data.

Your Personal Data falls into one of two categories at DriveWealth:

  • Tier 1 Personal Data. Is considered any Personal Data which can be used to “identify” an individual and includes legal name, date of birth, government issued identification number (“Personal Identification Information”).

  • Tier 2 Personal Data. Is considered any Personal Data which can be used to “link” to an individual and includes information which, when combined with other Personal Data, could logically link an individual to their identity, such as address, employment information, financial information, telephone number, and email address.

Regardless of the category of your Personal Data, such information shall always be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject;

  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed;

  • processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

To the extent there are any changes to your Personal Data, you should contact your introducing broker or investment advisor. You may also contact DriveWealth’s Data Protection Officer to make a request to correct Personal Data which you have previously provided. We may need to verify your identity, including contacting your introducing broker or investment advisor, if you request a change to your information.

4. How DriveWealth Uses Personal Data.

Your introducing broker or investment advisor maintains a clearing agreement with DriveWealth. Under that agreement, DriveWealth takes responsibility for certain specific functions including settling and clearing transactions in your account, performing cashiering functions, including receiving and delivering funds and securities for your account, maintaining the proper custody of funds and securities in your account, and keeping books and records related to your account (collectively, the “Services”). DriveWealth uses your Personal Data in order to provide the Services in accordance with applicable law.

5. How DriveWealth Shares Personal Data.

DriveWealth may share your Personal Data with its Affiliates and third-party vendors. In such instances, DriveWealth will only share the minimum amount of information required to provide, maintain, and improve upon the Services.

Personal Data (Tier 1 and Tier 2) is shared with Affiliates and third-party vendors as follows:

  • To confirm your identity.

  • To maintain the official books and records related to your account.

  • To prepare annual tax documentation.

In certain cases, DriveWealth may share your Tier 2 Personal Data with the following third-parties in order to provide the Services:

  • Secondary Database providers which DriveWealth uses to perform certain brokerage services. Secondary Database providers include software and database providers used to store information.

  • Payment verification providers which DriveWealth uses to verify the validity of deposits and withdrawals.

  • Corporate Action service provider which DriveWealth uses to provide notification on all Corporate Actions for which you are eligible. Corporate Actions include communications which may have an economic impact on a shareholder’s Account including proxy statements, ballots, information regarding voluntary and involuntary corporate actions, other shareholder materials.

  • Communications vendor (non-marketing related) which DriveWealth uses to assist in sending you information related to your account and investments.

Your Personal Data is also maintained within Amazon Web Services, which DriveWealth uses as its primary database provider to process and store your information. All information within Amazon Web Services is secured by DriveWealth Information Security procedures which means that no individual within Amazon can view your Personal Data.

6. Advertising and Marketing.

DriveWealth will not share your Personal Data for advertising or Joint Marketing purposes. We will only contact you in instances where it is necessary to service your account or where we are required to do so under applicable law.

7. Legal basis for Processing Personal Data.

Processing of Personal Data requires a legal basis. The most predominant legal basis for processing Personal Data within DriveWealth are: (i) Consent from the data subject for one or more specific purposes; (ii) The performance of a contract to which the data subject is party; (iii) A legal obligation or requirement; and (iv) Legitimate interests pursued by DriveWealth.

  • Consent. If the collection, registration and further processing of Personal Data on clients, suppliers, other business relations and employees are based on such a person’s consent to the processing of Personal Data for one or more specific purposes, DriveWealth shall be able to demonstrate that the data subject has consented to processing of such Personal Data. Consent shall be freely given, specific, informed and unambiguous. The data subject must actively consent to the processing of Personal Data by a statement or by a clear affirmative action, to him/her. A request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, and using clear and plain language. To process special categories of Personal Data (sensitive Personal Data) the consent shall also be explicit. The data subject is entitled to withdraw his/her consent at any time and upon such withdrawal, we will stop collecting or processing Personal Data about that person unless we are obligated or entitled to do so based on another legal basis.

  • Necessary for the Performance of a Contract. It will be legitimate to collect and process Personal Data relevant to the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This applies to all contractual obligations and agreements signed with DriveWealth, including the pre-contractual phase irrespective of the success of the contract negotiation or not.

  • Comply with a Legal Obligation. DriveWealth must comply with various legal obligations and requirements. Such legal obligation, to which DriveWealth is subject, may be sufficient as a legitimate basis for processing of Personal Data. In line with GDPR regulations, DriveWealth must also comply with U.S. Securities Laws and Treasury Laws, such as the Bank Secrecy Act. Such legal obligations include obligations to collect, register and/or make available certain types of information relating to employees, clients, etc. Such legal requirements will then form the legal basis for us to process the Personal Data, however, it is important to note whether the provisions allowing or requiring DriveWealth to process certain Personal Data also set out requirements in relation to storage, disclosure and deletion.

  • Legitimate Interests. Data will only be processed where it is necessary for the purposes of the legitimate interests pursued by DriveWealth, and these interests or fundamental rights are not overridden by the interests of the data subject. DriveWealth will, when deciding to process data ensures that the legitimate interests override the rights and freedoms of the individual and that the processing would not cause unwarranted harm. For instance, it is a legitimate interest of DriveWealth to process Personal Data on potential in order to verify the identity of the customer. The data subject must be given information on the specific legitimate interest if a processing is based on this provision.

8. Processing and Transfer of Personal Data.

  • DriveWealth as Data Controller. DriveWealth will be considered a data controller to the extent that we decide by which means the data subject’s Personal Data shall be processed e.g. when a data subject signs an agreement for service (“account agreement”) with DriveWealth.

  • Use of Data Processors. An external “Data Processor” is a company, which processes Personal Data on behalf of DriveWealth and in accordance with DriveWealth’s instructions, e.g. in relation to HR systems, third party IT providers, etc. When DriveWealth outsources the processing of Personal Data to Data Processors, DriveWealth ensures that said company as a minimum applies the same degree of data protection as DriveWealth.

  • Data Processing Agreements. Prior to transfer of Personal Data to the Data Processor, DriveWealth shall enter into a written data processing agreement with the Data Processor. The data processing agreement ensures that DriveWealth controls the processing of Personal Data, which takes place outside DriveWealth for which DriveWealth is responsible.

  • Disclosure of Personal Data. If the Data Processor/sub-Data Processor is located outside the EU/EEA, the following applies. Before disclosing Personal Data to others, it is the responsibility of DriveWealth to consider whether the recipient is employed by us or not. Furthermore, we may only share Personal Data within DriveWealth if we have a legitimate business purpose in the disclosure. It is DriveWealth’s responsibility to ensure that the recipient has a legitimate purpose for receiving the Personal Data and to ensure that sharing of Personal Data is restricted and kept to a minimum. DriveWealth must show caution before sharing Personal Data with persons, data subjects or entities outside of DriveWealth. Personal Data shall only be disclosed to third parties acting as individual data controllers if a legitimate purpose for such transfer exists. If the third-party recipient is located outside the EU/EEA in a country not ensuring an adequate level of data protection, the transfer can only be completed if a transfer agreement has been entered into between DriveWealth and the third party. The transfer agreement shall be based on the EU Standard Contractual Clauses.

9. Rights of the Data Subjects.

When DriveWealth collects and registers Personal Data on data subjects DriveWealth is obligated to inform such persons about:

  • The purposes of the processing for which the Personal Data are intended as well as the legal basis for the processing;

  • The categories of Personal Data concerned;

  • The legitimate interests pursued by DriveWealth, if the processing is based on a balancing of interests;

  • The recipients or categories of recipients of the Personal Data, if any;

  • Where applicable, the fact that DriveWealth intends to transfer Personal Data to a third party and the legal basis for such transfer;

  • The period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;

  • The existence of the right to request from DriveWealth access to and rectification or erasure of Personal Data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

  • Where the processing is based on the data subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

  • The right to lodge a complaint with DriveWealth via the correct procedure or with a supervisory authority;

  • Whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the Personal Data and of the possible consequences of failure to provide such data; and

  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

This information will in most cases be provided via a privacy notice on DriveWealth’s home page.

Any person whose Personal Data DriveWealth is processing, including, but not limited to, DriveWealth employees, job applicants, external suppliers, clients, potential clients, business partners, etc. has the right to request access to the Personal Data which DriveWealth processes or stores about him/her.

  • If DriveWealth processes or stores Personal Data about the data subject, the data subject shall have the right to access the Personal Data and the reasons for the data to be processed in relation to the criteria set out in this section.

  • The data subject shall have the right to obtain from DriveWealth without undue delay the rectification of inaccurate Personal Data concerning him or her.

  • The data subject shall have the right to obtain from DriveWealth the erasure of Personal Data concerning him or her and DriveWealth shall have the obligation to erase Personal Data without undue delay, unless required by law to retain any information for a prescribed period of time, for example, by financial regulators or tax authorities.

  • The data subject shall have the right to obtain from DriveWealth restriction of processing, if applicable.

  • The data subject shall have the right to receive the Personal Data registered in a structured and commonly used and machine-readable format, if applicable.

  • The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of Personal Data concerning him or her which is based on a balancing of interests, including profiling.

  • Any requests received from a data subject to exercise the rights in this clause will be answered as soon as reasonably possible, and no later than 30 days from receipt. Requests shall be forwarded without delay to DriveWealth’s Service Center. The Service Center will be supported by the DriveWealth’s Data Protection Officer to process the request to meet the reply deadline.

10. Data Protection by Design and Data Protection by Default.

New Products. New products, services, technical solutions, etc. must be developed so that they meet the principles of data protection by design and data protection by default. Data protection by design means that when designing new products or services due consideration to data protection is taken.

  • DriveWealth will take into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.

  • DriveWealth shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymizing, which are designed to implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet data protection requirements and protect the rights of data subjects.

Data Protection by Default. Data protection by default requires that relevant data minimization techniques are implemented.

  • DriveWealth shall implement appropriate technical and organizational measures for ensuring that, by default, only Personal Data which is necessary for each specific purpose of the processing is processed.

  • This minimization requirement applies to the amount of Personal Data collected, the extent of their processing, the period of their storage and their accessibility.

  • Such measures shall ensure that by default Personal Data is not made accessible without careful consideration.

11. Records of Processing Activities.

DriveWealth shall as data controller maintain records of processing activities under DriveWealth’s responsibility. The records shall contain the following information:

  • The name and contact details of the Account owner;

  • The purposes of the processing;

  • A description of the categories of data subjects and of the categories of Personal Data;

  • The recipients to whom the Personal Data have been or will be disclosed, including recipients in third parties or international organizations;

  • Where applicable, transfers of Personal Data to a third country, including the identification of that third country and, if relevant, the documentation of suitable safeguards;

  • Where possible, the envisaged time limits for erasure of the different categories of data; and

  • Where possible, a general description of the applied technical and organizational security measures.

DriveWealth shall make the records available to relevant data protection authorities upon request.

12. Deletion of Personal Data.

Personal Data shall be deleted when DriveWealth no longer has a legitimate purpose for the continuous processing or storage of the Personal Data, or when it is no longer required to store the Personal Data in accordance with applicable legal requirements. Detailed retention periods with respect to various categories of Personal Data are specified in DriveWealth’s Data Retention and Information Sharing policy.

13. Assessment of Risk.

If DriveWealth processes Personal Data that is likely to result in a high risk for the persons whose Personal Data is being processed, a Data Protection Impact Assessment (“DPIA”) shall be carried out. A DPIA implies that DriveWealth will, taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with data protection requirements. The technical and organizational measures shall be reviewed and updated where necessary and no later than every 6 months. Adherence to approved codes of conduct or approved certification mechanisms may be used as an element by which to demonstrate compliance with the appropriate technical and organizational measures pursuant to this clause.

14. National Requirements.

DriveWealth shall comply with both the GDPR and national data protection legislation. If applicable national legislation requires a higher level of protection for Personal Data than such policies/guidelines, such stricter requirements are to be complied with. If DriveWealth’s policies/guidelines are stricter than the local legislation, our policies/guidelines must be complied with.

15. Security.

You understand that we cannot absolutely guarantee the security of the transmission and storage of your Personal Data as the internet is not an absolutely secure environment; however, we have taken numerous steps to ensure that the appropriate technical and organizational measures are in place to demonstrate a high level of data protection and keep, to the best of our ability, your Personal Data secure.

DriveWealth has adopted a number of internal and external data protection policies, which must be adhered to by employees of DriveWealth. Additionally, DriveWealth will monitor, audit and document internal compliance with the data protection policies and applicable statutory data protection requirements, including the General Data Protection Regulation (“GDPR”). DriveWealth will also take the necessary steps to enhance data protection compliance within the organization. These steps include the assignment of responsibilities, raising awareness and training of staff involved in processing operations. Please note that this Privacy Policy will be reviewed from time to time to take into account any new obligations and that any Personal Data we hold will be governed by our most recent policy.

16. Changes to this Privacy Policy.

DriveWealth may amend this Privacy Policy periodically by posting a revised version in its disclosure library and updating the Effective Date. The updated version will be effective as of the updated “Effective Date.” DriveWealth will provide you with reasonable notice if there are material changes to our Privacy Policy and how we collect, use, disclose, transfer, store, retain, or otherwise process your Personal Data in performance of the Services. If you disagree with any of the changes, you may contact us to close your account. Your continued use of our Services after the Effective Date constitutes your consent to any changes to our Privacy Policy. The current version of our Privacy Policy can be found at https://drivewealth.com/privacy-policy.

17. Contact.

If you have any questions regarding the content of this Privacy Policy, or believe that we have not protected your Personal Data in accordance with this Privacy Policy and wish to file a complaint, please contact DriveWealth’s Data Protection officer at privacy@drivewealth.com. We may request that you provide us additional information regarding your concerns so that we can adequately investigate and address your issue. Note that any additional information we request, and communications with you, may be retained as part of our records; all records will be kept confidential and any Personal Data will be maintained in accordance with this Privacy Policy. European Customers may also contact the Danish Data Protection Agency for privacy related complaints.

18. Definitions.

“Affiliates” mean companies related by common ownership or control. They can be financial companies and nonfinancial companies. DriveWealth’s Affiliates include DriveWealth Technologies, LLC.

“Nonaffiliates” mean companies that are not related by common ownership or control. They can be financial and nonfinancial companies. DriveWealth does not share Personal Data with nonaffiliates so that they can market to you.

“Joint Marketing” refers to a formal agreement between nonaffiliated financial companies that together market financial products or services. DriveWealth does not engage or use your Personal Data for Joint Marketing purposes.

19. Other Important Information.

For Nevada residents. We are providing you this notice pursuant to state law. You may be placed on our internal Do Not Call List by calling 800-326-7141. Nevada law requires that we also provide you with the following contact information: Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington St., Suite 3900, Las Vegas, NV 89101; Phone number - 702-486-3132; email: BCPINFO@ag.state.nv.us.

For Vermont Residents. In accordance with Vermont law, we will not share information we collect about Vermont residents with companies who are Nonaffiliates, except as permitted by law, such as with your consent or to service your accounts. We will not share information about your creditworthiness with our Affiliates without your authorization or consent, but we may share information about our transactions or experiences with you with our Affiliates without your consent.

For California Residents. In accordance with California law, we will not share information we collect about you with Nonaffiliates, except as allowed by law. For example, we may share information with your consent or to service your accounts. Among our Affiliates, we will limit information sharing to the extent required by California law.