Data protection policy

1 Data protection responsible

CitySales Group Oü

Company reg nr. 12210530

Narva mnt 63, Harju maakond

10152 Tallinn, Estonia


2 Data protection officer

David Johnson


3 Name of the register customer register

4 The purpose of processing of personal data in the register

The processing of personal data is subject to the consent of the data subject, the customer relationship or the legitimate interest of the data controller. The purpose of the register is to provide business loan services, manage customer relationships and process and maintain information regarding clients or customers.

5 The contents of the register

Information to be stored in the register are: the applicant’s name, position, company / organization, contact information (phone number, e-mail address, address), IP address of the network, company credit rating, information about funding decisions and changes of our partners, and other information regarding the customer relationship.

The information is kept only as long as it is necessary for the customer relationship and at most for 24 months from the last customer contact.

6 Regular sources of information

Personal information is collected through the loan application form on our website and / or by telephone from the registered user. The information can be updated and supplemented by the Central Business Register of The Netherlands and other similar services and registers provided by public or private entities.

7 Regular deliveries of data and transfers of data outside the EU or EEA

Personal data is regularly disclosed to our partners for funding decisions to enable our services. Our service provides information within the limits of the Dutch law. The information will not be disclosed outside the EU or the European Economic Area except for legal assignments or transfers.

8 The principles of registry protection

We handle all the information carefully and all the data stored in our systems are adequately protected. When keeping records on cloud-based servers, the physical and digital security of the hardware is handled and maintained appropriately. The controller ensures that stored data, server access privileges and other critical data related to the security of personal data are processed confidentially and only by employees whose job description they belong to.

9 The right of inspection and the right to demand correction

Everyone in the register has the right to check his / her data stored in the register and to demand that any incorrect information be corrected or incomplete information supplemented. If a person wishes to check or require correction of the information they have, the request must be sent in writing to the data controller at: info(a)

The data controller may, if necessary, request the applicant to prove his / her identity. The controller will to the customer at least within the time limit (within one month) of the European General Data Protection Regulation but, in principle, within a few days.

10 Other rights related to the processing of personal data

A person in the register has the right to request the deletion of his / her personal data from the register (“the right to be forgotten”). Also, those who are registered have other rights under the EU’s general data protection regulation (GDPR) such as restricting the processing of personal data in certain situations.

Requests should be sent in a form on our website:

After the form has been sent, we will delete all information regarding you within 2 working days.