Privacy and Cookies Policy — Nibble Finance

Privacy and Cookies Policy


1.1. OÜ NIBBLE ITSF is committed to being a responsible custodian of the information You provide to us and the information we collect in the course of operating our business. This Privacy and Cookies Policy describes how we may collect and process information received by us in relation to the operation of our Website ( and the provision of services as outlined in our User Agreement. Please read this document carefully as it contains important information You should know before using our Website and/or our services.

1.2. You acknowledge and agree that by creating an account on our Website and clicking “Continue” or by using our Website and the services provided through it, You confirm that You have read, understood and accepted our User Agreement and our Privacy and Cookies Policy in their entirety. If You do not agree with this Policy or any part thereof, You should stop using the Website and our services.

1.3. Your Personal Data is processed in accordance with the General Data Protection Regulation (Regulation EU 2016/679, further — “the GDPR”), the Personal Data Protection Act and any other relevant legislation with respect to the accepted principles of good information handling (collectively referred to as the “Data Protection Legislation”).

1.4. This Privacy and Cookies Policy shall be governed by the laws of Estonia. The competent supervisory authority shall be the Estonian Data Protection Inspectorate.

1.5. A list of data protection authorities in EU jurisdictions is available here.

1.6. For all intents and purposes, the English language version of this Privacy Policy will be the original, governing instrument. In the event of any conflict between the English language version of this Privacy Policy and any subsequent translation into any other language, the English language version will prevail.


2.1. “Company” means OÜ NIBBLE ITSF, a private limited company incorporated in Estonia with registration number 14831029, having its registered office at Harju maakond, Tallinn, Kristiine linnaosa, Kotkapoja tn 2a-10, Estonia 10615 (the “Company”, “We” and “Us” hereinafter), which operates the Website available at;

2.2. “Website” means the Website operated by the Company and available at;

2.3. “Privacy and Cookies Policy” means the latest version of the Company’s Privacy and Cookies Policy which describes our policies and procedures pertaining to the collection, processing, use, and disclosure of Your Personal Data;

2.4. “Personal Data” means any information relating to the User, which identifies or may identify the User;

2.5. “User” means an individual or a legal entity that has read and agreed to the User Agreement and the Privacy and Cookies Policy and uses the services provided by the Company advertised and provided through the Website (referred to as “You” or “Yours” hereinafter);

2.6. “Services” means the services provided by the Company and advertised to Users via the Website as set out in detail in the User Agreement and the agreements for the investment facilitation services concluded between the Company and Users;

2.7. “Processing of Personal Data” means any operation performed with Personal Data, including the collection, recording, organisation, storage, modification, disclosure, granting access thereto, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of Personal Data or several of the abovementioned operations, regardless of the manner in which the operations are carried out or the means used therefor.


3.1. When processing Your Personal Data, we adhere to the following principles:

3.1.1. Legality and fairness: Your Personal Data shall be collected only in an honest and legal manner and the processing of Your Personal Data shall be only carried out on the basis of Your consent or some other legitimate basis;

3.1.2. Transparency: we shall ensure that it is transparent to You that Your Personal Data are collected, used, consulted or otherwise processed and to what extent the Personal Data are or will be processed. We shall ensure that any information and communication relating to the processing of Your personal data is easily accessible and easy to understand, and that clear and plain language is used. We further shall ensure that You are made aware of risks, rules, safeguards and rights in relation to the processing of Your Personal Data and how to exercise Your rights in relation to such processing;

3.1.3. Purposefulness: Your Personal Data shall be collected only for the achievement of determined and lawful objectives, and it shall not be processed in a manner not conforming to the objectives of data processing;

3.1.4. Minimalism: Your Personal Data shall be collected only to the extent necessary for the achievement of determined purposes;

3.1.5. Restricted use: Your Personal Data shall be used for other purposes only with Your consent or with the permission of a competent authority;

3.1.6. Data quality: Your Personal Data shall be accurate, up-to-date, complete and necessary for the achievement of the purpose of data processing;

3.1.7. Security: appropriate security measures shall be applied in order to protect Your Personal Data from involuntary, unauthorized or unlawful processing, disclosure or accidental loss, destruction or damage;

3.1.8. Individual participation: we shall notify You of data collected concerning You, and You shall be granted access to the data concerning You and shall have the right to demand the correction of inaccurate or misleading data;

3.1.9. Storage limitation: we shall keep Your Personal Data in a form which permits Your identification for no longer than is necessary for the purposes for which the Personal Data are processed; Your Personal Data may be stored for longer periods insofar as it be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures in order to safeguard Your rights and freedoms;

3.1.10. Accountability: we shall be responsible for, and demonstrate compliance with the above principles of data processing.


4.1. When You engage with us, we collect and process Your Personal Data, which includes as follows:

4.1.1. Personal identification and contact information, including Your name, e-mail address, phone number, country, full address and date of birth;

4.1.2. Data collected in connection with “Know Your Customer” (KYC) compliance, “Anti-Money Laundering” (AML) compliance and “Counter-Terrorist Financing” (CTF) compliance, including but not limited to: Your full name; Your residential address; Your contact details (telephone number, email address); Your date and place of birth, gender, place of citizenship; Your bank account information and/or credit card details; Your status as a politically exposed person; Source of funds & proof of address; Passport and/or national driver’s license or government-issued identification card used to verify Your identity.

4.1.3. Device and Website usage data, including: IP addresses; language preferences and other device identifiers; information relating to Your access to the Website, such as device characteristics, date and time.

4.2. We shall not process Your Personal Data that may be deemed sensitive under the GDPR and the Personal Data Protection Act, including but not limited to:

4.2.1. data describing political views, religious and philosophical beliefs, with the exception of data on membership of private legal entities registered in accordance with the law;

4.2.2. data describing ethnic origin and racial affiliation;

4.2.3. data on health status or disability;

4.2.4. data on heredity information;

4.2.5. biometric data (in particular, fingerprint, palm print and iris image and genetic data);

4.2.6. data on sex life and sexual orientation;

4.2.7. data on trade union membership;

4.2.8. information about committing an offense or becoming a victim of it before a public court hearing or a decision in the case of an offense or termination of the case proceedings.


5.1. We collect Personal Data directly from You when You use our Website, communicate with us via the Website, or interact directly with us via email or telephone. For example, direct collection of Your Personal Data occurs when You complete the contact form on our Website or when You contact us via email, telephone, the Chat box on our Website or through Your user account registered on the Website.

5.2. We use industry standards for automatically collecting certain information about visitors to our Website. We collect information about You, or information collected by cookies and similar technologies, when You use, access, or interact with our Website. We shall ensure that processing is proportionate and that we have carried out a legitimate interest impact assessment. To the extent that the use of cookies or similar technologies requires Your consent, we may also process Your Personal Data based on Your consent.

5.3. When You register a user account on our Website, we may perform checks at:

5.3.1. Credit reference agencies to verify the identity information You have provided to us, as part of complying with our legal duties. These checks consist of a ‘soft search’ and do not impact your credit score.

5.3.2. KYC and AML service providers, as part of complying with our legal duties.

5.4. We also may collect information about You from third-party sources, including but not limited to, the following channels:

5.4.1. marketing partners and resellers;

5.4.2. advertising partners and analytics providers;

5.4.3. public databases, credit bureaus and ID verification partners;

5.4.4. social networks (for example, Twitter).

5.5. We protect the Personal Data obtained from third parties according to the practices described in this Privacy Policy and we also apply additional restrictions imposed by the source of data.


6.1. The Company collects Your Personal Data for the following purposes:

6.1.1. To enable You to use our Website and the Services advertised thereon and/or provided through it, to register an account or profile, to process information You provide via our Website (including verifying that Your email address is active and valid);

6.1.2. To detect and prevent potentially prohibited or illegal activity relating to the Company’s services;

6.1.3. To tailor content, recommendations, and advertisements that we and third parties display to You on the Website and elsewhere online;

6.1.4. To contact You in response to Your inquiries, comments and suggestions;

6.1.5. With Your consent, to provide You with information, products, or services that we believe will interest You, including special opportunities from us and our third-party partners;

6.1.6. To contact You with administrative communications and with information regarding the changes to our Privacy Policy, User Agreement, or any of our other rules, policies or procedures;

6.1.7. For internal business purposes, such as to improve our Website;

6.1.8. To comply with our policies and obligations, including, but not limited to, disclosures and responses in relation to any requests from law enforcement authorities and/or regulators in accordance with any applicable law, rule, regulation, judicial or governmental order.

6.2. Your Personal Data, whether public or private, will not be sold, exchanged, transferred, or given to any other company for any reason whatsoever, without Your consent, other than for the purpose of delivering the requested services and improving our services.


7.1. We shall process Your Personal Data only if and to the extent that at least one of the following legal bases applies:

7.1.1. You have given consent to the processing of Your Personal Data for one or more specific purposes, provided that consent given electronically via the functionality of our Website constitutes valid consent to our processing of Your Personal Data;

7.1.2. Processing is necessary for the performance of a contract to which You are party or in order to take steps at Your request prior to entering into a contract;

7.1.3. Processing is necessary for compliance with any legal obligations to which we are subject under the EU and Estonian law;

7.1.4. Processing is necessary in order to protect Your vital interests or those of another natural person;

7.1.5. Processing is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by Your interests or Your fundamental rights and freedoms which require protection of Personal Data.


8.1. As a general principle, we collect and process Personal Data in order to facilitate or improve the Company’s services or offers. We do not sell Your Personal Data or share it with third parties, except to the extent stated in this Privacy Policy.

8.2. For behaviour statistics and business intelligence we use the services of Google LLC (“Google Analytics”), a company located in the United States. Your Personal Data that we may provide to Google Analytics may include Your IP address, and that data is used by Google Analytics to generate information about Your usage of our service.

8.3. By agreeing to this Privacy and Cookies Policy You unequivocally and expressly give us consent to share Your Personal Data with the following third parties:

8.3.1. Third-party service providers, including those providing advertising, analytics, research, customer service, service support, data storage, validation, security, fraud prevention, and legal services. Such third-party service providers have access to Your Personal Data to perform these services but are prohibited from using Your Personal Data for any other purpose;

8.3.2. Law enforcement bodies and other external parties (including but not limited to authorities that stop financial crime, money laundering, terrorism and tax evasion; the police, courts or other dispute resolution bodies; banks and other financial institutions for the purposes of fraud investigations, etc.) where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect Your vital interests and/or the vital interests of a third-party;

8.3.3. Our business partners and counterparties where this is done for the purposes of providing information to you regarding the available investment opportunities and other educational and marketing materials.

8.4. When we disclose Your Personal Data to a third party, we take all reasonable steps to ensure that those third parties are bound by confidentiality and privacy obligations with respect to the protection of Your Personal Data. The disclosure is conducted in compliance with legal requirements, including entering into data processing agreements with the relevant third parties, to ensure that Personal Data is only processed in accordance with our instructions, applicable laws and regulations and for the purpose specified by us and to ensure adequate security measures.


9.1. The Company will retain Your Personal Data for as long as we shall deem it necessary to enable You to use the Website and to provide Services to You, to comply with applicable laws (including those regarding document retention), resolve disputes with any parties and otherwise as necessary to allow us to conduct our business.

9.2. The legal basis for retaining Your Personal Data is the Company’s legitimate interest to protect our rights in the light of potential legal disputes during the limitation period under the applicable law.

9.3. If we have collected Your Personal Data in relation to Your inquiry to us, we retain Your Personal Data for up to three (3) years from collection, unless otherwise provided by this Privacy Policy.

9.4. Notwithstanding anything to the contrary in this Section, we may retain Your Personal Data where such retention is necessary for compliance with a legal obligation to which we are subject to, or in order to protect Your vital interests or the vital interests of another natural person.

9.5. When the Company no longer needs to keep Your Personal Data, it will securely delete or destroy it.


10.1. Your Personal data integrity is of high concern to us. We have implemented organizational and technical security measures in order to:

10.1.1. Prohibit access of unauthorized persons to data processing equipment used for processing of personal data;

10.1.2. Prevent unauthorized reading, copying, modification and removal of storage media;

10.1.3. Prevent unauthorized input of personal data and unauthorized inspection, modification or deletion of retained personal data;

10.1.4. Prevent deletion of data processing systems by unauthorized persons by means of data communication equipment;

10.1.5. Ensure access by users who hold an authorization for the use of automated data processing systems only to such personal data which are covered by the access authorization of the users;

10.1.6. Ensure an opportunity to verify and establish to which agencies personal data have been or may be transmitted or made available using data communication equipment;

10.1.7. Ensure an opportunity to verify and establish what personal data have been input into automated data processing systems and when and by whom the data were input;

10.1.8. Prevent unauthorized reading, copying, modification or deletion of personal data during transmissions of personal data or during transportation of storage media;

10.1.9. Ensure an opportunity to restore installed data processing systems in the case of interruptions;

10.1.10. Ensure functioning of data processing systems and notification of any faults in the functions thereof;

10.1.11. Prevent misrepresentation of personal data as a result of system malfunctions.

10.2. We follow the standard practices within the industry to protect the Personal Data that we collect and maintain, including using Transport Layer Security (TLS) to encrypt information as it travels over the internet. We have therefore implemented technology and security policies and procedures intended to reduce the risk of accidental destruction or loss, or the unauthorized disclosure or access to, such information, reasonably appropriate to the nature of the data concerned; unfortunately, however, no data transmission over the Internet can be guaranteed to be 100% secure.

10.3. We have implemented a number of additional security measures to ensure that Your Personal Data is not lost, abused, or altered, including, but not limited to:

10.3.1. Physical measures, which means that materials containing Your Personal Data will be stored in a locked place.

10.3.2. Electronic measures, which means that computer data containing Your Personal Data will be stored in the computer systems and storage media that are subject to strict log-in restrictions.

10.3.3. Management measures, which means that only authorized employees are permitted to come into contact with Your Personal Data, and such employees must comply with our internal confidentiality rules for Personal Data. We have also imposed strict physical access controls to buildings and files.

10.3.4. Technical measures.

10.4. If You suspect that Your Personal Data might have been compromised, please immediately contact our Customer Support Team at


11.1. Users residing within the EU are afforded certain rights regarding their personal information:

11.1.1. The right to access: You have the right to confirmation as to whether or not we process Your Personal Data and, where we do, to access the Personal Data and the following information:

  • the purposes of the processing of Your Personal Data;
  • the categories of Personal Data concerned;
  • the recipients or categories of recipient to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request rectification or erasure of Your Personal Data or restriction of processing of Your Personal Data or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the Personal Data are not collected from You, any available information as to their source;
  • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for You.
Providing that the rights and freedoms of others are not affected, at your request we will supply to You a copy of Your Personal Data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee;


11.1.2. The right to object to processing: You have the right to object to us processing Your Personal Data, citing personal reasons; however, understand that we may still process Your Personal Data if we have lawful grounds to do so, but only if our interests in processing Your Personal Data are not overridden by Your rights, interests, or freedoms;

11.1.3. The right to rectification: You have the right to have any inaccurate Personal Data about You rectified and, taking into account the purposes of the processing, to have any incomplete Personal Data about You completed;

11.1.4. The right to data portability: You have the right to obtain and reuse Your Personal Data for Your own purposes across different services. It allows You to move, copy or transfer Personal Data easily from one IT environment to another in a safe and secure way, without hindrance to usability;

11.1.5. The right to erasure (“the right to be forgotten”): You have the right to request that the Company erase Your Personal Data under certain conditions. However, this can sometimes be a limited right where our other duties prevent us from doing so. For example, if You asked us to delete Your identity and transaction data, we would not be able to do this, as we have a legal duty to keep it under anti-money laundering and counter-terrorism financing regulations;

11.1.6. The right to restrict processing: You have the right to request that the Company restrict the processing of Your Personal Data under certain conditions. Where processing of Your Personal Data has been restricted, such Personal Data shall, with the exception of storage, only be processed with Your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or Estonia;

11.1.7. The right to withdraw consent: to the extent that the legal basis for our processing of Your Personal Data is consent, You have the right to withdraw that consent at any time. However, withdrawal will not affect the lawfulness of processing of Your Personal Data before the withdrawal;

11.1.8. The right of recourse to Data Protection Inspectorate or court: if You believe that Your rights with regards to Your Personal Data have been infringed, You have a right of recourse to the data protection authority within Your jurisdiction or any competent court.

11.1.9. The right to demand compensation for damage: if Your rights with regards to Your Personal Data have been violated, You have the right to demand compensation for the damage suffered in accordance with the procedure provided for under the Law of Obligations Act or any other applicable legislation.

11.2. You may exercise Your rights in relation to Your Personal Data by contacting our Customer Support at You must note that prior to accessing and making changes to Your Рersonal Data, we will need to verify Your identity properly. Depending on the urgency of the matter, we will aim to respond to Your requests regarding Your Personal Data within 15 (fifteen) business days of receipt of any such request.

11.3. If You believe that Your rights have been infringed, You may lodge a complaint with the supervisory authority in Your jurisdiction. In Estonia, You can make an enquiry or file a complaint with the Estonian Data Protection Inspectorate.


12.1. We may need to transfer Your Рersonal Data to countries which are located outside the European Economic Area (“EEA”), for the purposes of providing the services to You.

12.2. Any transfer of Your Personal Data outside of the EEA will be subject to a GDPR-compliant guarantee (such a Model Contract Clause approved by the European Commission) that will safeguard Your privacy rights and give You remedies in the unlikely event of a security breach.

12.3. In cases of transmission of Personal Data to third countries all of the following conditions must be satisfied:

12.3.1. the transmission is strictly necessary for performance of the tasks of the law enforcement authority, which transmits the Personal Data, for the purpose of prevention, detection and proceeding of offences or execution of punishments;

12.3.2. the public interest outweighs the rights and freedoms of the data subject;

12.3.3. the transmission of Personal Data to an agency of any third country, which is competent to prevent, detect and process the offence or execute the punishment, is not effective or appropriate;

12.3.4. the agencies of third countries which are competent to prevent, detect and proceed offences or execute punishments shall be notified immediately, except in the case this is not effective or appropriate;

12.3.5. the recipient shall be notified of the specific purpose of processing of personal data and is directed to process Personal Data only for the specified purpose.

12.4. We document all instances of international transmission of personal data, including the date and time of transmission, the details of the receiving competent authority, the explanation of transmission and the personal data transmitted. At the request of the Estonian Data Protection Inspectorate, we make the above information available thereto.


13.1. We use cookies and similar technologies like pixels, tags, and other identifiers in order to remember Your preferences, to understand how our Website is used, and to customize our marketing offerings.

13.2. A cookie is a small data file containing a string of characters that is sent to Your computer when You visit a website. When You visit the websites again, the cookie allows that site to recognize Your browser. The length of time a cookie will stay on Your computer or mobile device depends on whether it is a “persistent” or “session” cookie. For further information regarding cookies, visit

13.3. We use the following types of cookies on our Website:

13.3.1. Strictly necessary cookies: these are essential for You to browse our Website and use its features. Without these cookies, some online services cannot be provided.

13.3.2. Performance cookies: these collect information about how You use our Website. This data may be used to help optimize our Website and make it easier for You to navigate.

13.3.3. Functional cookies: these allow our Website to remember the choices You make while browsing the Website and to personalize Your experience.

13.3.4. Third-party cookies: these are placed by websites and/or parties other than us. These cookies may be used on our Website to improve our services or to help us provide more relevant advertising. These cookies are subject to the respective privacy policies for the relevant external services.

13.3.5. Analytics cookies: these are offered by services like Google Analytics, to help us understand how long a visitor stays on our Website, what pages they find most useful, and how they arrived at

13.4. Most web browsers allow You to control cookies through their settings preferences. However, You should note that if You limit the ability of our Website to set cookies, this may impair Your overall user experience and limit the Website functionality, as the Website will no longer be personalized to You.

13.5. In addition to cookies, we sometimes use small graphics images known as pixels (also known as web beacons, clear GIFs, or pixel tags). We use pixels in our email communications to You (if You have selected to receive such communications) to help us to understand whether our email communication has been viewed. We also use third-party pixels (such as those from Google, YouTube, and other networks) to help us provide advertising that is relevant to Your interests.


14.1. We may update this Privacy and Cookies Policy from time to time and we encourage You to periodically review this page. If we make any material changes in the way we collect, use, and/or share Your Personal Data, we will notify You by posting notice of the changes in a clear and conspicuous manner on the Website at

14.2. Your continued use of our Website and Services after any amendments or updates introduced to this Privacy Policy shall constitute Your consent thereto and acceptance of the updated or amended version of the Privacy Policy.

14.3. If You do not agree to the updated or amended version of the Privacy and Cookies Policy, You must stop using our Website and our services.


15.1. Should You have any questions regarding this Privacy and Cookies Policy, our processing of Your Personal Data or Your rights with regards thereto, please do not hesitate to contact us via email at or through the Chat box on our Website.