Version 1.0

Privacy Policy
and Cookies Policy

These Policies were updated on 11 December 2023 and apply to ORO Bank customers who signed up to receive our services on or after 11 December 2023.

This Privacy Policy and Cookie Policy (collectively, the “Policies”), together with our Terms of Use, governs DK Limited, Oro Bank Division’s collection, use, disclosure and processing of your personal data and our use of cookies and similar technologies. As used in these Policies, ”ORO Bank”, ”we”, ”us” or ”our” refers to the Oro Bank Division of DK Limited, a company organized under the laws of Bhutan.

The governing language of these Policies is English. Any other language translation is provided for convenience only. ​ Please contact us with questions, comments, or concerns regarding our Privacy Policy and Cookies Policy and/or practices at our Help Center on our Websites or through email at dpo@oro.bank.

1. Acceptance of Policies and Updates

By continuing to access and use the Services, you consent to our data practices as described in these Policies. If you do not agree with or are not comfortable with any aspect of these Policies, you should immediately stop accessing and using the Services. You may also contact us with questions, comments, or concerns regarding these Policies and/or practices at dpo@oro.bank.

We reserve the right to modify these Policies at any time, and when required by law, we will notify you of changes to these Policies. If we make any material changes, we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on our Websites or mobile applications prior to the change becoming effective.

2. Definitions

Certain capitalized terms used in this Privacy Policy have the following meanings.

  • Account” means an individual or corporate account for use of the Services opened by you in accordance with the Terms of Use.

  • Data Privacy Laws” means:

    • data protection laws applicable to Bhutan, including without limitation Section 210 of the Financial Services Act of Bhutan 2011, Section 166 of the Royal Monetary Authority Act 2010, the Royal Monetary Authority of Bhutan’s Guidelines on Data Privacy and Data Protection 2022; and
    • any other applicable laws and their respective successors or implementing texts.

  • “Personal Data” means any information that directly or indirectly can be used to identify a natural person. Personal Data does not include anonymized and/or aggregated data that does not identify a natural person.

  • “Services” has the meaning given in our Terms of Use.

  • Terms of Use” means the Terms of Use posted on the Websites, which govern your use of the Services.

  • Websites” has the meaning given in our Terms of Use.

3. Privacy Policy

ORO Bank respects and is committed to protecting your privacy. The purpose of this Privacy Policy is to describe:

  • The Personal Data we collect;
  • The purposes of collection, use, disclosure, and processing of Personal Data;
  • The legal bases / lawful bases for processing Personal Data;
  • Sources of personal data, apart from personal data that you provide directly to us;
  • How and to whom we disclose your Personal Data;
  • Transfers of your Personal Data outside your jurisdiction;
  • Your rights concerning your Personal Data;
  • The security measures we use to protect your Personal Data;
  • ORO Bank’s retention of your Personal Data; and
  • Contact details of our Data Protection Officer.

In cases where we require your consent to process your Personal Data, we will ask for your consent to the collection, use, processing and/or disclosure of your Personal Data as described further below. We may provide additional disclosures or additional information about the data collection, use and sharing practices of specific Services. These notices may supplement or clarify ORO Bank’s privacy practices or may provide you with additional choices about how ORO Bank processes your Personal Data.

3.1 Collection of Personal Data

We only collect your Personal Data in a lawful manner and when we have a reasonable purpose to do so. Where permitted and subject to applicable Data Privacy Laws, the Personal Data we may collect from you include the following:

  • Information you provide to us. We may collect Personal Data that you provide directly to us when you communicate with us (e.g. request support, register for or participate in our events, complete surveys, subscribe to receive marketing communications) through our Websites, mobile applications, or by e-mail, phone, or any other medium. This may include:

    • Personal identification information, such as your full name, home address, email address, date of birth, age, nationality, gender, signature, and photographs.
    • Formal identification information, such as tax identification number, passport number and details, driver’s license details, national identity card details, photograph identification cards, and immigration visa information.
    • Account information, such as your username, password, account settings and preferences.
    • Financial information, such as bank account numbers, bank statement, and tax identification.
    • Residence verification information, such as utility bill details, bank statements, or similar information.

  • Information we collect automatically when you access our Websites or use our Services. We may also automatically collect information about your computer, device, and browsing and account activity when you access our Websites or use our Services. This information may include:

    • Device Information – Information that is automatically collected about your device, such as the hardware, operating system, and browser used by you.
    • Location Information – Information that is automatically collected via analytics systems providers to determine your location, such as your IP address and/or domain name and any external page that referred you to us.
    • Log Information – Information that is generated by your access or use of the Websites and Services that is automatically collected and stored in our server logs, such as device-specific information, location information, system activity and any internal and external information related to Website pages that you visit.
    • Account Information – Information that is generated by your account activity, such as trading activity, order activity, deposits, withdrawals, and account balances.

  • Information we collect from other sources. We may collect Personal Data from Sumbsub LTD and public sources, which may include:

    • Reputational information
    • Financial information – Information that is provided by our partners (e.g. credit bureaus) which have been collected and processed in accordance with applicable laws
    • Business activities of corporate users

3.2 Purposes of Collection, Use, Disclosure or Otherwise Processing of Personal Data

We may collection, use, disclose or otherwise process your Personal Data with your consent, or without your consent where there is another proper basis for doing so or where otherwise permitted or authorized by applicable Data Privacy Laws. Generally, we collect your Personal Data with your consent, and you may choose whether to provide us with the types of Personal Data requested, but we may not be able to offer you some or all our Services when you do choose not to share certain information with us. When we process Personal Data for any purposes for which your explicit consent has not be obtained, this will be reviewed and approved by our Data Privacy Management Committee.

Set out below are the purposes and legal basis for which we generally collect, use, disclose or otherwise process your Personal Data:

  • Compliance with legal or regulatory obligations;
  • Consent;
  • Performance of contracts with data subjects;
  • Protection of vital interests of data subjects; and
  • Performance of a task carried out in public interest.
Categories of Personal Data potentially involved Purpose of collection, use, disclosure or otherwise processing Legal Bases
  • Personal identification information
  • Formal identification information
  • Account information
  • Financial information
  • Residence verification information
  • Reputational information
  • Business activities information
  • Opening, maintaining or closing your account, and facilitating your transactions
  • Providing our Services
  • Sending you communications regarding our Services, security issues or updates, or account-related and transaction-related information
  • Providing customer services (including assistance with troubleshooting, and responding to queries and complaints)
  • Quality control
  • Consent
  • Performance of contract
  • Compliance with legal or regulatory obligations
  • Personal identification information
  • Formal identification information
  • Account information
  • Financial information
  • Residence verification information
  • Reputational information
  • Business activities information
  • Managing our business and administrative operations (including assessing your ongoing creditworthiness, administering approvals, fee waivers and adjustments)
  • Analyzing and managing commercial risk
  • Consent
  • Performance of contract
  • Public interest
  • Personal identification information
  • Formal identification information
  • Device information
  • Location information
  • Log information
  • Account information
  • Reputational information
  • Financial information
  • Business activities information
  • Residence verification information
  • Marketing purposes
  • Conducting client outreach and managing client relationships
  • Consent
  • Performance of Contract
  • Personal identification information
  • Device information
  • Location information
  • Log information
  • Financial information
  • Research and development purposes, including to customize, measure and improve Services
  • Enhance user experience on Websites and mobile applications
  • Consent
  • Performance of Contract
  • Device information
  • Location information
  • Log information
  • Account information
  • Personal identification information
  • Managing and monitoring network and information security and the security of our Services, websites, mobile applications
  • Monitoring the safety of our customers, employees, and premises
  • Consent
  • Compliance with legal or regulatory obligations
  • Vital interests
  • Public interest
  • Personal identification information
  • Formal identification information
  • Account information
  • Financial information
  • Residence verification information
  • Device information
  • Location information
  • Log information
  • Reputational information
  • Business activities information
  • Meeting our legal and regulatory obligations as well as compliance with any codes of practice or guidelines issued by relevant legal or regulatory bodies which are binding on us or informed that we are expected to comply with (including conducting customer due diligence and KYC checks and verifications, and vendor due diligence)
  • Detecting investigating and preventing crime such as fraud, money-laundering, and terrorism financing
  • Enforcing our Terms of Use and other agreements
  • Consent
  • Compliance with legal or regulatory obligations
  • Public interest
  • Vital interests
  • Personal identification information
  • Formal identification information
  • Account information
  • Financial information
  • Residence verification information
  • Device information
  • Location information
  • Log information
  • Reputational information
  • Business activities information
  • Facilitate corporate acquisitions, mergers, or transactions
  • Consent
  • Compliance with legal or regulatory obligations
  • Performance of contract

We set out additional information regarding some of the purposes listed above concerning our use and processing your Personal Data:

  • Compliance with legal or regulatory obligations. We may be required by law to collect and use your Personal Data in connection with some of our core Services. For example, we must identify and verify users to comply applicable laws on anti-money laundering and countering the financing of terrorism. For this purpose, we may use third parties to verify your identity by comparing the Personal Data you provided against third-party databases and public records. If you do not provide this Personal Data, you will not be allowed to use our Services.
  • Marketing communications. Based on your communication preferences, we may send you marketing communications to inform you about our events or our partner events, to deliver targeted marketing, and to provide you with promotional offers based on your communication preferenes. We may also share Personal Data with third parties to help us with our marketing and promotional projects or sending marketing communications. You can opt-out of our marketing activities at any time by contacting us at the following email address dpo@oro.bank
  • Purposes in connection with our performance of contracts with you. We may collection, use, disclose and process certain information to be able to perform our obligations under our contract with you or to take steps at your request prior to entering into a contract with you:
    • To provide the Services: We may process your Personal Data to provide the Services to you, including to open an account and to process your transactions. We cannot provide you with Services without such information.
    • To provide communications: We may send administrative or account-related information to you to keep you updated about our Services, inform you of relevant security issues or updates, or provide other transaction-related information. Without such communications, you may not be aware of important developments relating to your account that may affect how you can use our Services.
    • To provide customer service: We may process your Personal Data to resolve user questions or disputes, to collect fees, or to troubleshoot problems. Without processing your Personal Data for such purposes, we cannot respond to your requests and ensure your uninterrupted use of the Services.
    • To ensure quality control: We may process your Personal Data for quality control and staff training to make sure we continue to provide you with accurate information. If we do not process Personal Data for quality control purposes, you may experience issues on the Services such as inaccurate transaction records or other interruptions.
  • Enforcing our Terms of Use and other agreements. ORO Bank handles sensitive information, such as your identification and financial data, so it is very important for us and our customers that we actively monitor, investigate, prevent and mitigate any potentially prohibited or illegal activities or violations of our Terms of Use, and enforce our agreements with third parties, and violations of our Terms of Use or other agreements related to the Services. We may use any of your Personal Data collected on our Services for these purposes.
  • Ensuring network and information security. We may process your Personal Data to enhance security, monitor and verify identity or service access, combat spam or other malware or security risks and to comply with applicable security laws and regulations. The threat landscape on the internet is constantly evolving, which makes it more important than ever that we have accurate and up-to-date information about your use of our Services. Without processing your Personal Data, we may not be able to ensure the security of our Services.
  • Research and development purposes. We may process your Personal Data to better understand the way you use and interact with the Services. In addition, we may use such information to customize, measure, and improve the Services and the content and layout of the Websites and applications, and to develop new services. Without such processing, we cannot ensure your continued enjoyment of our Services.
  • Enhancing your user experience on our Websites and mobile applications. We may process your Personal Data to provide a personalized experience and to implement the preferences you request. Without such processing, we may not be able to ensure your continued enjoyment of part or all of our Services.
  • Facilitating corporate acquisitions, mergers, or transactions. We may process any information regarding your account and use of our Services as is necessary in the context of corporate acquisitions, mergers, or other corporate transactions. You have the option of closing your account if you do not wish to have your Personal Data processed for such purposes.

3.3 Automated Decision Making

We may make automated decisions on certain matters, such as to fulfill our obligations imposed by law (such as to verify your identity), to detect fraudulent or prohibited activities, or to determine whether you are eligible for certain Services. If you disagree with the decision, you are entitled to contest this by contacting us at following email address: dpo@oro.bank.

3.4 Our Use of Cookies and Similar Technologies

Please see Part 4 (Cookies Policy) below for a description of how we use cookies and similar technologies on the Websites.

3.5 Disclosures to Third Parties

We take care to ensure that your Personal Data is accessed only by those who need to perform their tasks and duties, and to share your Personal Data only where we have consent from you or have a proper legal basis for doing so without your consent. We may disclose your Personal Data in the following circumstances:

  • We may share your Personal Data with third party identity verification and transaction monitoring services to assist in the prevention of fraud and other illegal activities and to fulfill our obligations under anti-money laundering and countering the financing of terrorism laws and regulations. This allows ORO Bank to confirm your identity by comparing the Personal Data you provide us to public records and other third-party databases.

  • We may share your Personal Data with service providers under contract who provide professional services to us (such as legal and accounting advisors) or help with parts of our business operations (such as marketing, cross-border transfer, payment and technology services). Our contracts provide for binding enforceable requirements on our service providers in compliance with applicable laws.

  • We may share your Personal Data with other financial institutions and payment services providers with which we partner to process payments you have authorized.

  • We may share your Personal Data with companies or other entities that we plan to merge with or be acquired by. If any such a combination occurs, then we will require that the new combined entity follow this Privacy Policy with respect to your Personal Data. You will receive prior notice of any change in applicable policies.

  • We may share your information with companies or other entities that purchase ORO Bank’s assets pursuant to a court-approved sale under applicable bankruptcy laws or where we are required to share your information pursuant to applicable insolvency laws.

  • We may share your information with law enforcement, government officials or regulators, or other third parties when we are compelled to do so by a subpoena, court order, or similar legal procedure, to comply with applicable laws and regulations, to report suspected illegal activity, or to investigate violations of our Terms of Use or any other applicable policies.

  • We may request your consent to share your information with third parties in certain other circumstances. Such requests may be presented to you in our Terms of Use, an email from us to you, or otherwise through our Services.

  • In addition, from time to time, we may disclose your data to third parties without your consent but only to the extent allowed by applicable laws.

3.6 International Transfers of Personal Data

As a global company, we may store and process your Personal Data in our facilities in various locations which may include locations outside of Bhutan. This Privacy Policy applies regardless of the location in which we store and process your Personal Data.

We will ensure that your Personal Data is protected and treated in accordance with applicable Data Privacy Laws when they are transferred outside of your jurisdiction. Any onward transfer is subject to appropriate onward transfer requirements as required by applicable Data Privacy Laws.

3.7 Entitlements to Your Personal Data

You may be entitled to certain rights concerning your Personal Data depending on your jurisdiction as well as the Data Privacy Laws applicable to you. Where you are not entitled to certain rights listed in this Privacy Policy, we may at our sole discretion choose to extend them to you or choose not to fulfil your request. You can request to exercise these rights by contacting us at dpo@oro.bank. For avoidance of doubt, we may refuse your request if applicable Data Privacy Laws do not provide you with such rights, or where authorized or required by applicable law.

Subject to applicable Data Privacy Laws, you may have the following rights in relation to your Personal Data:

  • Access: You may be entitled to request a copy of your Personal Data held by us, how we have used or disclosed your Personal Data, and a confirmation as to whether or not Personal Data concerning you is being processed by us or on our behalf. Where permitted or required by applicable Data Privacy Laws, we may ask for further particulars relating to your request, refuse to provide some or all of the Personal Data requested and, in certain circumstances, charge a reasonable fee.
  • Correction: You may be entitled to request that any incomplete or inaccurate Personal Data we hold about you is corrected.
  • Erasure: You may be entitled to ask us to delete or remove Personal Data in certain circumstances. There are also certain situations where we may refuse a request for erasure, such as in cases where the Personal Data is required for compliance with law or in connection with pending legal claims.
  • Restriction: You may be entitled to ask us to restrict or stop the collection, use, processing and/or disclosure of your Personal Data. However, we may continue to do so to the extent permitted or required by applicable laws.
  • Data Portability: You may be entitled to ask us to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity if both (a) our lawful basis for processing the Personal Data was based on either your consent or where it was necessary for our performance of our obligations under our contract with you, and (b) the processing was carried out by automated means.
  • Objection: If we are processing your Personal Data on the basis of public interests, you may be entitled to object to such processing. You also have the right to object to the processing your Personal Data for the purpose of direct marketing. We may continue to process your data if there are compelling legitimate grounds for doing so or to establish, exercise or defend any legal claims.
  • Automated Decisions: We use automated decision making in certain circumstances described in Section 3.3 above. You may be entitled not to be subject to a decision based solely on any automated decision, including profiling, where this has a legal or similar significant effect and ask for it to be reconsidered. We may continue to use automated decision making where authorized or required by applicable Data Privacy Laws.
  • Right to Submit a Complaint: If you believe that we have infringed your rights, we encourage you to contact us first at the Help Center on our Websites or via email at dpo@oro.bank so that we can try to resolve the issue or dispute informally. You can also submit a complaint about our processing of your Personal Data to the relevant data protection authority. You can submit a complaint in the country where you live or work or in the place where the alleged breach of the applicable Data Privacy Laws had taken place.

3.8 Security of Personal Data

In compliance with applicable Data Privacy Laws, we implement reasonable security measures to ensure the confidentiality of your Personal Data and to protect your Personal Data from loss, theft, unauthorized access, misuse, alteration, destruction or similar risks; and the loss of any storage medium or device on which Personal Data is stored. For example, we use computer safeguards such as firewalls and data encryption, enforce physical access controls to our buildings and files, and restrict access to Personal Data only to employees who require access to fulfill their job responsibilities.

However, we cannot guarantee that loss, theft, unauthorized access, misuse, alteration or destruction of your Personal Data will not occur. Please take adequate measures to protection your Personal Data. When registering to use our Services, it is important to keep this password a secret. Please notify us immediately if you become aware of any unauthorized access to or use of your account.

3.9 Retention of Personal Data

We retain Personal Data for as long as necessary to fulfill the purposes described in this Privacy Policy, or for our legal or business purposes. The criteria we may use to determine the retention period for certain categories of data includes:

  • whether there are contractual or legal obligations (including any applicable law, statute, or regulation) that require us to retain the Personal Data for a certain period of time;
  • whether there are any ongoing or potential legal or financial claims / investigations that relate / may relate to your relationship with us;
  • the nature, relevancy and quality of the Personal Data; and
  • how sensitive the Personal Data is.

We will pseudonymize Personal Data when there is no longer any need to have identifying personal data and anonymize or delete personal data when the purpose of processing is fulfilled.

After you have terminated your use of our Services, we reserve the right to maintain your Personal Data as part of our standard back up procedures in an aggregated format.

3.10 Children’s Personal Data

We do not knowingly request to collect Personal Data from any person under the age of 18. If a user submitting Personal Data is suspected of being younger than 18 years of age, we will require the user to close his or her account. We will also take steps to delete the Personal Data as soon as possible. Please notify us if

you know of any individuals under the age of 18 using our Services so we can act to prevent access to our Services.

4. COOKIES POLICY

4.1 Description of Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to allow websites to work properly or more efficiently, as well as to provide information to the owners of the website.

There are two general categories of cookies. “First-party cookies” cookies are set directly by us. “Third-party cookies” are set by a third party, and that third party can recognize your computer both when it visits the Websites and when it visits certain other websites and/or mobile apps.

Cookies can remain on your computer or mobile device for different periods of time. Some cookies are “session cookies”, which exist only while your browser is open and expire once you close your browser. Other cookies are “persistent cookies”, which survive after your browser is closed. They can be used by websites to recognize your computer when you open your browser and browse the internet again.

More information on cookies and their use can be found at www.aboutcookies.org or www.allaboutcookies.org.

4.2 Why We Use Cookies

When you access our Services, we or companies we work with may place cookies on your computer or other device. These technologies help us better understand user behavior and inform us about which parts of the Websites people have visited.

We use cookies to:

  • track traffic flow and patterns of travel in connection with the Websites;
  • understand the total number of visitors to the Websites on an ongoing basis and the types of internet browsers (e.g. Firefox, Chrome or Internet Explorer) and operating systems (e.g. Windows or Mac OS) used by our visitors;
  • monitor the performance of the Websites and to continually improve them;
  • customize and enhance your online experience; and
  • enable us and third-party to advertise both on and off the Websites.

4.3 Types of Cookies We Use

We use the following types of cookies:

  • Strictly Necessary Cookies: These cookies are necessary because they enable you to move around our Websites and use certain features on our Services. For example, strictly necessary cookies allow you to access secure areas. Without these cookies, some Services cannot be provided.

  • Functionality Cookies: These cookies allow us to remember the choices you make and to tailor our Services so we can provide relevant content to you. For example, a functionality cookie can remember your preferences (e.g. country or language selection), or your username.

  • Performance/Analytics Cookies: These cookies collect information about how you use a website. For example, a performance/analytics cookie will collect information about which pages you go to most often, how much time you spend on that page, or if you get error messages from certain pages. These cookies do not gather information that identifies you. The information these cookies collect is anonymous and is only used to improve how our Services work.

  • Advertising and Tracking Cookies: Our Websites may feature advertising. We may allow third party companies, including advertising companies, to place cookies on our Websites. These cookies enable such companies to track your activity across various sites where they display ads and record your activities so they can show ads that they consider relevant to you as you browse the Internet. These cookies also allow us and third parties to know whether you have seen an ad or a type of ad, and how long it has been since you last saw it. This information may be used for frequency capping purposes, to help tailor the ads you see, and to measure the effectiveness of ads. These cookies are anonymous – they store information about the content you are browsing, but not about who you are.

4.4 Other Similar Technologies We Use

In addition to cookies, we may use other similar technologies such as web beacons to track users of our Services. Web beacons, or “clear gifs”, are tiny graphics with a unique identifier, similar in function to cookies.

They are used to track the online movements of web users.

In contrast to cookies, which are stored on a user’s computer hard drive or device, clear gifs are embedded invisibly on web pages. We and our third-party service provider employ web beacons for the reasons stated above (under “4. Cookies Policy”), but primarily to help us better manage content on our Services by informing us which content is effective.

4.5 Avoiding and Disabling Cookies

You have the right to choose whether or not to accept cookies when asked on our Websites, and instructions for other methods of exercising this right are given below. However, please note that if you choose to refuse cookies you may not be able to use the full functionality of our Websites.

  • Our Cookies. Most browsers allow you to change your cookie settings. These settings will typically be found in the “options” or “preferences” menu of your browser.
  • Do Not Track. Some Internet browsers – like Chrome, Internet Explorer, Firefox, and Safari – include the ability to transmit “Do Not Track” or “DNT” signals. Since uniform standards for “DNT” signals have not been adopted, our Websites do not currently process or respond to “DNT” signals.
  • Advertising Cookies. To opt-out of third-party advertising networks and similar entities that use targeting/advertising cookies, go to https://www.aboutads.info/choices. Once you click the link, you may choose to opt-out of such advertising from all participating advertising companies or only advertising provided by specific advertising entities. For more information about third-party advertising networks and similar entities that use these technologies, please see https://www.aboutads.info/consumers.

5. Contact our Data Protection Officer

For inquiries and concerns, you may address them to ORO Bank’s Data Protection Officer via:

  • Websites (including mobile apps): Help Center
  • Mail: DK Limited, ORO Bank Division, Corporate Head Office: Building No. 43, Norzin Lam, PO Box 1714, Thimphu, Bhutan 11001; or
  • Email: dpo@oro.bank