Vive's
Privacy statement

See our privacy statement below to see what we do with your information.

Disclaimer: This document has been translated directly from nl-NL (Dutch). In the event of any discrepancies between this translation and the original Dutch version, the Dutch version shall prevail.

Key Points

  • Who we are: Vive Invest B.V. is a licensed investment firm (Wft) supervised by the AFM and AP. We manage your investment portfolio through the Vive App.
  • What we collect: identity data, financial data and an investor profile. This is partly required under the Wwft and MiFID II — without this data we cannot open an account.
  • Legal obligations: we monitor transactions for money laundering and are required to report unusual transactions to FIU-NL. We are legally prohibited from informing you about this.
  • Sharing with third parties: only with technical service providers (processing agreement), government bodies (legally required) and supervisory authorities. Your data is never sold.
  • Your rights: you can request access, correction, erasure or lodge an objection via privacy@viveapp.com. More details in section 9.

1. Who does this statement apply to?

This Privacy Statement applies to three groups:

Website visitors.

Do you visit www.viveapp.com without an account? In that case we only process technical data (IP address, browser type, session behaviour) for the functioning of the website and, with your consent, for analytical purposes. Please also refer to our Cookie Statement.

Clients with their own account.

Have you independently opened an account with Vive Invest? In that case we process your personal data as data controller and this full Privacy Statement applies to you.

Participants via an employer or organisation.

Have you been invited by your employer or an organisation to participate in an investment scheme (beleggingsregeling) via Vive? In that case your employer processes your data as data controller during the invitation phase — please consult their privacy statement. Once you independently open an account with Vive, we become the data controller and this Privacy Statement applies in full.

2. About us

The data controller for the processing of your personal data is:

Vive Invest B.V.

Keizersgracht 268, 1016 EV Amsterdam, the Netherlands

Chamber of Commerce number (KvK): 61898635

Email: privacy@viveapp.com

Website: www.viveapp.com

If you have any questions about the processing of your personal data, please contact us at privacy@viveapp.com.

3. What personal data do we process?

3.1 Website visitors

  • IP address, browser type and operating system
  • Session data and page behaviour
  • Cookie IDs (see our Cookie Statement)

3.2 Clients

For the purpose of opening and managing an account and providing investment services, we process:

  • First and last name
  • Date, country and place of birth
  • Nationality and gender
  • Residential address
  • Telephone number and email address
  • Citizen service number (BSN) and/or other tax identification number
  • Counter account IBAN
  • Copy of identification document and selfie (for identity verification via Onfido)
  • Financial data: transaction history, portfolio data, balances
  • Investor profile: knowledge and experience, financial situation, risk appetite, investment horizon
  • Correspondence with Vive Invest (email, chat, telephone)
  • Device data (device type, operating system, IP address)
  • Location data (if you grant permission for this in the app)
  • Marketing data (click behaviour in emails, campaign preferences)

4. What do we use your data for?

4.1 Performance of the agreement

We process your data to open and manage your account, provide investment services, execute orders and process payments. Legal basis: Art. 6(1)(b) GDPR.

4.2 Legal obligations

As an investment firm we are bound by the Wft, MiFID II and the Wwft. This requires, among other things, identity verification (KYC), transaction monitoring, sanctions screening and tax reporting to the Tax Authority (Belastingdienst). Legal basis: Art. 6(1)(c) GDPR.

4.3 Legitimate interest

We process data for fraud prevention, security of our systems, improvement of our services and the quality of our customer service. Legal basis: Art. 6(1)(f) GDPR.

4.4 Consent

For the sending of newsletters and marketing communications and for non-functional cookies we request your consent. You may withdraw this consent at any time via the app or by sending an email to privacy@viveapp.com. Withdrawal of consent does not have retroactive effect. Legal basis: Art. 6(1)(a) GDPR.

5. Licence and legal obligations

Vive Invest B.V. holds a licence as an investment firm within the meaning of the Financial Supervision Act (Wet op het financieel toezicht, Wft). Vive Invest is subject to conduct supervision by the Netherlands Authority for the Financial Markets (Autoriteit Financiële Markten, AFM). Compliance with privacy regulations is monitored by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).

As a licensed investment firm, a number of legal obligations apply to us that directly affect the processing of your personal data. Below we explain these obligations.

5.1 Identity verification and client due diligence (Wwft)

Under the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, Wwft) we are required to verify your identity before we can accept you as a client and provide services. This client due diligence (also known as KYC — Know Your Customer) comprises:

  • Verification of your identity on the basis of a valid identification document
  • Determination of your nationality, place of residence and BSN (or other tax identification number)
  • Screening against international sanctions lists and lists of politically exposed persons (PEP screening)
  • Assessment of the origin of your assets where the risk profile gives rise to this

Without successful completion of the client due diligence we cannot open an account or provide services. This is not a choice made by Vive Invest, but a legal obligation. Legal basis: Art. 6(1)(c) GDPR (Wwft Art. 3).

5.2 Ongoing transaction monitoring and sanctions screening (Wwft)

The Wwft requires us not only at the outset, but also on an ongoing basis to be alert to unusual transactions and to periodically reassess your situation. In practice this means:

  • We systematically monitor your transactions for patterns that may indicate money laundering or terrorist financing.
  • We periodically re-screen you against current sanctions lists and PEP registers.
  • If we identify an unusual transaction, we are legally required to report it to the Financial Intelligence Unit of the Netherlands (FIU-NL). We are legally prohibited from notifying you of this (tipping-off prohibition, Wwft Art. 23).

Legal basis: Art. 6(1)(c) GDPR (Wwft Art. 16 in conjunction with Art. 23).

5.3 Suitability and appropriateness test (MiFID II)

Under MiFID II and the Wft we are required to assess whether our investment services are suitable and appropriate for you as an individual client. For this purpose we collect information about your knowledge and experience with financial instruments, your financial situation, investment objectives and risk appetite. Without completing this profile we cannot draw up a personalised investment plan or provide services. Legal basis: Art. 6(1)(c) GDPR (Wft Art. 4:23 in conjunction with MiFID II Art. 25).

5.4 Tax reporting and BSN processing

We are legally required to process your citizen service number (Burgerservicenummer, BSN) for tax reporting to the Tax Authority (Belastingdienst). This includes, among other things, reporting under the Common Reporting Standard (CRS) and FATCA (Foreign Account Tax Compliance Act). We report account balances, returns and dividends to the Tax Authority on an annual basis. The Tax Authority may exchange this information with tax authorities in other countries on the basis of international tax treaties. Legal basis: Art. 6(1)(c) GDPR (Wft, AWR, CRS/FATCA).

5.5 Consequences of non-cooperation

If you do not cooperate, or cooperate insufficiently, with the client due diligence or other legally required verifications, we will be compelled to refuse or terminate the provision of services. In such cases we have no discretion — the Wwft and Wft leave us no scope to circumvent this obligation.

6. With whom do we share your data?

6.1 Processors

To provide our services we engage the parties listed below as processors. We have concluded a processing agreement with each party. Personal data is stored exclusively within the European Economic Area (EEA), unless stated otherwise. Where storage outside the EEA takes place, EU Standard Contractual Clauses (SCCs) apply.

Privacy Statement Tabel
Sub-subprocessor Function Location Storage Safeguard
Auth0 Inc. (Okta)Authentication & identity managementUSEU (eu-west-1)SCCs + Okta DPA
Amazon Web ServicesCloud infrastructure, hostingUS (EU region)EU (eu-west-1)SCCs + AWS DPA
Onfido LimitedKYC / identity verification (ID&V, CDD)UK / EUEUUK Adequacy + DPA
Online Payment Platform B.V.Payment processingNLEUN/A – EEA
Twilio Inc.SMS verification, push notificationsUSEUSCCs + Twilio DPA
Freshworks Inc.CRM & customer serviceUS (EU DC)EU (Frankfurt)SCCs + Freshworks DPA
OneSignal Inc.In-app push notificationsUSEU data centreSCCs + OneSignal DPA
Mixpanel Inc.Product analytics (pseudonymised)USEU (Amsterdam)SCCs + Mixpanel DPA
Aircall SASBusiness telephone systemFREU data centreN/A — EEA
Google LLC (Workspace)Email & communicationUSEU (configured)SCCs + Google Workspace DPA

6.2 Government bodies

We may be required to share data with government bodies, including the Tax Authority (Belastingdienst) (tax reporting), De Nederlandsche Bank (Deposit Guarantee Scheme), the AFM and FIU-NL (Wwft reports). This is done exclusively on a legal basis.

6.3 Other recipients

We do not share your data with other third parties without your consent, unless we are legally required to do so.

7. How long do we retain your data?

We do not retain your personal data for longer than is necessary for the purpose for which it was collected, or for as long as the law requires. The principal retention periods are:

  • KYC file (identity verification, Wwft): 5 years after the end of the client relationship
  • Client account and investment file: 5 to 7 years after the end of the client relationship (MiFID II file: 5 years; Wft client records: 7 years)
  • Transaction data and financial records: 7 years after the transaction (tax retention obligation)
  • Customer service correspondence: 2 years after closure
  • Marketing data: until withdrawal of consent or a maximum of 2 years after the last interaction
  • Website analytics: 12 months

After the expiry of the retention period your data will be securely deleted or anonymised.

8. Security

Vive Invest takes the security of your data seriously and implements appropriate technical and organisational measures, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for all employees and administrators
  • Access control based on the need-to-know principle
  • Continuous monitoring and logging of access to personal data
  • Annual penetration tests by an external party

To help safeguard the security of your account, we ask you to maintain the confidentiality of your login credentials.

9. Your rights

Under the GDPR you have the following rights:

  • Right of access: you may request a copy of the personal data we process about you.
  • Right to rectification: you may have incorrect or incomplete data corrected.
  • Right to erasure: you may request the deletion of your data, provided no legal retention obligation applies.
  • Right to restriction of processing: in certain cases you may request a temporary restriction of processing.
  • Right to data portability: you may receive your data in a structured, commonly used format.
  • Right to object: you may object to processing based on legitimate interest or for direct marketing purposes.
  • Right to withdraw consent: you may withdraw previously given consent at any time, without affecting the lawfulness of the prior processing.

You may exercise your rights by sending an email to privacy@viveapp.com or in writing to: Vive Invest B.V., Keizersgracht 268, 1016 EV Amsterdam. We will respond within 30 days. If you believe your rights have been violated, you may file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (www.autoriteitpersoonsgegevens.nl).

10. Cookies

We use cookies and similar technologies. Functional cookies are necessary for the functioning of the website and do not require consent. For analytical and marketing cookies we request your consent via our cookie banner. More information can be found in our Cookie Statement on www.viveapp.com.

11. Changes to this statement

We reserve the right to amend this Privacy Statement. The current version is always available at www.viveapp.com/documents. In the event of material changes we will inform you by email or via a notification in the app. The date of the most recent version is stated at the top of this document.

12. Contact

For questions about this Privacy Statement or the processing of your personal data, please contact:

Vive Invest B.V. — Privacy contact: Ramses van de Nes (COO)

Email: privacy@viveapp.com

Address: Keizersgracht 268, 1016 EV Amsterdam, the Netherlands

Website: www.viveapp.com