Volue believes it is important to protect the privacy of data subjects; as a user of Volue products and services, a supplier to Volue or a visitor to volue.com. Volue is committed to providing a service that meets the data subject’s need for privacy and protects personal information.

1.  Scope

This privacy statement applies to Volue’s processing of personal data concerning, or on behalf of, customers, including but not limited to processing through Volue’s services. It also applies to Volue’s processing of personal data of other third parties like suppliers, partners, investors etc.

This privacy statement explains what types of personal data Volue processes, how personal data is processed and how Volue complies with relevant data privacy laws and regulations, including the national laws of EU/EEA member states implementing EU Regulation 2016/679 (‘GDPR’).

Volue may anonymise personal data and use anonymised data on an aggregated level for statistical purposes or for improving the Volue services. When personal data has been anonymised, and is used on an aggregated level, the data is no longer personal data, and such use is not covered by this privacy statement.

The terms personal data, data dubject, processing, data processor and data controller are used and interpreted as defined by GDPR.

In the statement, Volue refers to the legal entity Volue AS, VAT.no. 924 332 166, Chr. Kroghsgate 16, 0186 Oslo, Norway, including its affiliates where Volue directly or indirectly controls a minimum of 50% of the shares.

2. What types of personal data does Volue process?

Volue collects and uses information like names, email addresses, phone numbers and payment information related to customers and other third parties. For customers, location data, physical addresses, and data regarding communication between customers and Volue may also be processed. Information from and about the devices customers use for accessing the services may also be collected. This includes information like IP addresses, the type of browser and device used, and other identifiers associated with the devices. A device (depending on its settings) may also transmit location information to the respective Volue service, but only if location services are activated on the device.

Additional processing of personal data is performed by the Volue subsidiary Volue Market Services AS, as further detailed in a separate section below.

Unless explicitly informed otherwise in the respective Volue service, Volue will not process any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or personal data relating to criminal convictions or offences.

3. Legal basis

Provision of certain personal data may be a necessary requirement for Volue to provide services in accordance with the agreement. In such cases, the legal basis for processing such personal data may be Article 6 (1) b) of GDPR. Furthermore, the legal basis may be Article 6 (1) f) of GDPR (legitimate interests pursued by the controller), which is the legal basis for marketing measures in an existing customer relationships. With regards to the processing performed by Volue Market Services AS due to regulatory requirements, Article 6 (1) c) of the GDPR applies.

Volue will not process personal data for purposes incompatible with the purposes that they were originally collected for, unless the data subject has consented to processing for other specific purposes. Volue may, for example, offer optional features of the Volue services that require such further processing of personal data.

If and to the extent Volue processes any personal data based on consent, the consent may be revoked at any time.

4. Data controller

Volue is the data controller in respect of the processing Volue conducts to manage the customer or third-party relationship with Volue. This also includes processing which is necessary as part of Volue’s service provision where Volue decides the purposes and means of processing.

If Volue processes personal data on behalf of a customer or other third-parties, then the customer or third party is the data controller, and Volue will only process the personal data as a data processor in accordance with instructions given by the data controller.

Inquiries regarding the details of the processing of personal data, such as location, retention periods, corrections, deletions etc. must be addressed to the data controller. If it is not clear who the data controller is, please contact Volue on the contact information in Section 12 for assistance.

5. For which purposes may Volue process personal data?

Volue will only process personal data for the purposes described in this privacy statement or, as the case may be, in accordance with lawful instructions given by the data controller in accordance with a data processing agreement.

Volue may process personal data for the following purposes;

• to provide, maintain and improve the services,
• to manage customer relationships, including by providing relevant information to customers and communicating regarding the services, e.g., by informing customers about their account, security updates and product information, and to contact customers for marketing purposes (which may be opted out of at any time),
• to fulfil any obligations that Volue has in accordance to agreements between Volue and customers, and to document such agreements,
• to comply with legal requirements. With regards to Volue Market Services; to comply with the legal requirements that apply for financial services.

 6. How does Volue process personal data?

Volue uses different technologies like cookies and pixel tags to provide, improve, protect and promote the services. For more information about how Volue uses cookies, please click the cookie symbol in the bottom left corner.

Volue has an information security policy that applies when Volue is processing personal data in the internal systems. In accordance with the policy, relevant information security measures are implemented to ensure the integrity, availability, accuracy and confidentiality of the personal data.

If Volue acts as a data processor on behalf of a data controller, the processing will be conducted in accordance with the lawful instructions given by a data controller through a data processing agreement.

7. How long will Volue store personal data? Rights of data subjects

In general, data subjects have the following rights in relation to Volue’s processing of personal data:

A right to view personal data being processed by Volue and to request a copy of such personal data, which shall be provided in a commonly used electronic format.

The right to require that incorrect, incomplete or inaccurate personal data is rectified or erased.

A right to restriction of processing under certain conditions.

If any personal data is used for direct marketing purposes, the right to object to the processing of personal data for such purposes.

A right to lodge a complaint with the relevant supervisory authority (in Norway: Datatilsynet), if Volue processes personal data in violation of this privacy statement or the GDPR. Contact information is found in Section 12.

8. How does Volue protect personal data?

Volue has implemented both organizational and technical measures to protect personal data from unauthorized access, loss, distortion or extraction, and Volue is committed to maintain data integrity and secure data availability. As part of Volue’s commitment, reasonable and appropriate physical, technical, and administrative procedures and measures are utilised to safeguard the information that is collected and processed. Volue stores customer data in secure operating environments that are only accessible to Volue employees and subcontractors on a need-to-know basis. Volue requests its registered users to verify their identity by e.g. login ID and password. In addition, the Volue services are continuously tested for vulnerabilities, and industry and technology developments are being monitored to ensure that personal data is protected by state-of-the-art information security measures.

9. How long will Volue process personal data?

Volue will only process personal data for as long as necessary in order to pursue the purposes for which the data is collected or to facilitate the services, unless it is required by law to store or process personal data for a longer period of time, e.g., to maintain appropriate financial records. Any personal data that is not needed to fulfil the legal obligations will be deleted without undue delay after the relationship with Volue has ended. If Volue is processing personal data on behalf of a data controller, personal data will be deleted and/or returned in accordance with the relevant data processing agreement between Volue and the data controller.

10. Does Volue share personal data with third parties?

Volue uses third party services such as cloud services or other IT hosting services with suppliers like Microsoft for the Microsoft Azure cloud. When using subcontractors, Volue will always enter into a data processing agreement that satisfies the requirements of applicable privacy laws, in order to safeguard personal data. Volue is fully responsible for the subcontractors’ processing of personal data.

Volue will not transfer or give access to personal data outside the EU/EEA or countries subject to an adequacy decision. Furthermore, data may be transferred or accessed subject to appropriate safeguards such as transfer agreements based on the EU Standard Contractual Clauses.

11. Changes to this privacy statement

Volue will update this privacy statement whenever necessary to reflect customer feedback and changes in Volue services. Should it be decided to modify this privacy statement, the revised statement will be posted on volue.com, with an updated revision date. If significant changes that materially alter Volue’s privacy practices are made, then Volue may also notify by other means, such as sending an email or posting a notice on the corporate website and/or social media pages prior to the changes taking effect.

12. How to contact Volue or the supervising authority

For any inquiries, comments, or questions regarding this Privacy Policy or Volue’s processing of Personal Data, please contact us using the following contact details:

Email (preferred): dpo@volue.com 

Phone: +47 909 99 275

Visiting address: Volue AS, Chr. Kroghsgate 16, 0186 Oslo, Norway

In case you want to lodge a complaint to the supervising authority, here is the contact information for the Norwegian Data Protection Authority (Datatilsynet):

Visiting address: Tollbugata 3, 0152 Oslo

Email: postkasse@datatilsynet.no

Phone: +47 22 39 69 00

Website: www.datatilsynet.no

13. Additional provisions applying to the financial services provided by Volue Energy Market Services AS

Volue Energy Market Services AS (VEMS) with org.no. 863 769 132 provides financial advice to and performs financial trading on behalf of its customers. In this respect, VEMS is legally obliged to record any communications with its customers, either by recording or, in cases of physical meetings, meeting protocols, and to store the recordings and transcripts of all communications with customers related to advice, investments, mandates etc. that are performed or intended to be performed by VEMS.

The purpose of recording and storage of communication is defined as follows:

Compliance with the Markets in Financial Instruments Directive (MiFID II) and Norwegian Securities Trading Act requirements for investment firms to keep recordings of telephone conversations and electronic communications in relation to services. The lawful basis for this purpose is the legal obligation VEMS has to comply with Norwegian Securities Trading Act section 9-17.

Prevention and detection of misconduct, such as insider trading and conflicts of interest. The lawful basis for this purpose is the legitimate interest VEMS has in preventing and investigating potential misconduct that can have severe financial and legal consequences for VEMS.

Documentation of what has been communicated to enable VEMS to exercise and defend legal claims. The lawful basis for this purpose is the legitimate interest VEMS has in handling legal claims to protect VEMS’ business interests.

VEMS will not use the recordings for any other purposes than the purposes listed above.

Recordings are stored for 5 years, unless specific circumstances should require longer retention of the recordings.

In order to ensure that VEMS is able to fulfill the defined purposes, recorded conversations are monitored on a random basis.

To maintain balance between the individual’s interests and VEMS’ legitimate interests, measures are implemented to limit the collection and use of data outside the defined purposes. In addition, VEMS has established an internal control system that ensures the rights of the data subjects.

The data subjects’ rights to have their personal data erased, including the erasure of specific recorded communications, are limited due to the legal obligations deriving from the Norwegian Securities Trading Act section 9-17. If anyone should still seek to request such erasure, a request must be submitted in writing to VEMS (please see contact details below).

VEMS may be obliged to disclose recorded information to relevant authorities, such as the Financial Supervisory Authorities, or others, if a request is received based on applicable laws and regulations.

VEMS is further obliged to disclose recorded information to a customer or a customer representative upon their request if they represent a party involved in the communications.

Any request for insight into information that has been recorded by and is related to VEMS financial advice or trading on behalf of you as a customer is to be sent in writing to: Volue Energy Market Services AS, Langbryggen 9, 4841 Arendal, Norway, dpo@volue.com, or phone no. + 47 73 80 45 00.

Any such requests will be processed in accordance with VEMS’ policy and instructions for disclosure of recorded information.