This Privacy Policy (the “Policy”) describes how Paynetics AD collects, stores and uses your personal data in connection with the use of payment services provided by Paynetics AD, as well as the purposes and grounds for which it collects and processes them, and the rights of data subjects under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, the Regulation).

Paynetics AD may provide its payment services through integration with partners of ours who provide you with diverse online platforms and applications. Our payment services may be made available to you through these platforms and/or applications. In these cases, the relevant Privacy Policies of our partners apply, which you can find on the respective platforms and / or applications of the partner.

Definitions

“Paynetics” or “we”, “our”, “us” means Paynetics AD, with headquarters and registered address: Sofia 1407, 76A James Bourchier Blvd., ground floor, entered in the Commercial Register and the Register of Non-Profit Legal Entities, kept by the Registry Agency under UIC 131574695. Paynetics is an electronic money institution licensed by the Bulgarian National Bank with Decision No 44 of 11.04.2016 and is entered in the register kept by the Bulgarian National Bank, which can be found here.

“Personal data”, “controller”, “processor”, “data subject”, “processing” and other terms used by the Regulation have the meaning described therein.

This Policy is an important document. We recommend that you read it carefully.

How to contact us

If you have any questions about how we collect, store and use your personal data, or would like to exercise your rights in relation to your personal data, please contact us by writing to the Data Protection Officer of Paynetics at: 76 James Bourchier Str., Sofia 1407, Bulgaria; or dpo@paynetics.digital.

Personal data we collect

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (‘data subject’);

We do not collect personal data of persons under the age of 18.

We collect the following personal data about you:

– Identification data: data we use to identify you, verify your identity and carry out statutory checks: your name, permanent address, photo/video, email address, mobile phone number, date of birth; identity document and its data (number, date of issue, expiration date); whether you are a politically exposed person; details of your professional activity; data contained in documents of origin of funds or in other documents that we require by law;

– data about the payment services you use:

• account details (IBAN, other identifiers, internal identifiers), public token, account status, information about cards connected to the account;
• card details (if you use one) – number, date of issue, CVC/CVV code, PIN, card organization, information from the tokenization of the card with Google/Apple (if applicable);
• payment data – information about all payment transactions made through the payment account: names and identifiers of the payees and payers (IBAN, tokens, other identifiers used to identify the recipients in the paynetics system), identifier of the payment transaction; amount and currency of transactions, date and time of the payment transaction, status of the payment transaction, basis for the transaction and other explanations, signature of the payers; information about card payment transactions – information about the recipient – name, address, date and time, amount, fee, transaction identification number, transaction token, type, status, authorization code, 3D confirmation, merchant category code and description, payment summary description.

– Details of communication with you (via email, internet, on paper, our call center or through third parties) when you contact us to report a problem or inquiry – names, contact details, communication data, message metadata, status data of your enquiry, etc. Your inquiries may be transmitted to us by our partners when you use the payment services of Paynetics through their platforms and / or applications.

Please do not provide us with personal data of any other person unless we explicitly request you to do so and you have notified them of this.

For what purposes and on what grounds we use your personal data

We use your personal data for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract in order to:

– provide you with payment services;

– perform checks: to verify your identity and to check whether you meet the requirements in our Terms and Conditions to become a customer of the payment services;

– contact you regarding the payment services we provide;

– collect fees in connection with our services, which are described in our General Terms and Conditions;

– address any queries or questions you may have about our payment services;

We use your personal data for the purposes of our legitimate interests, your legitimate interests, as well as the legitimate interests of our partners, affiliated companies, employees, representatives, for:

– prevent or detect fraud, record suspicious or fraudulent behavior or suspicion of false or inaccurate information, as well as any illegal actions, or actions aimed at harming the interests of Paynetics or persons related to it;

– to protect our legitimate interests and claims in connection with judicial, administrative and other proceedings.

We use your personal data for the purpose of fulfilling our legal obligations, incl. in connection with the specialized legislation regulating the provision of payment services, the legislation on measures against money laundering, terrorist financing, carrying out inspections in sanctioning lists, etc., as well as for compliance with other legal obligations, such as tax and accounting obligations.

To whom we disclose your personal data

We may disclose your personal data to any member of our group of affiliated companies insofar as reasonably justified for the purposes and in relation to the grounds set out in this Policy.

We may disclose personal data to data processors who carry out activities in relation to your personal data only in accordance with our instructions and for the purposes and means specified by us and described in this Policy.

If you access our payment services through a platform or application created or managed by our partner, your personal data processed in connection with the payment services is visible to our partner. Our partners may be our registered representatives in accordance with the Payment Services and Payment Systems Act. You can find a list of our registered representatives here: https://www.bnb.bg/bnbweb/groups/public/documents/bnb_download/ps_po_register_3a_en.xls. Our representatives act as processors of personal data on our behalf in connection with the payment services of Paynetics provided through their platforms or applications. However, they act as independent controllers with respect to your data, which they process in relation to the platform or application itself and all other functionalities and services they provide to you outside the payment services of Paynetics. Our partners are only established in the European Economic Area and do not process personal data in third countries. They are bound by significant and detailed obligations to implement safeguard measures. Paynetics controls and audits their activities in accordance with its obligations in its role as a licensed electronic money institution under the legislation regulating payment services and the legislation on personal data protection.

We may disclose your personal data to a third party which usually acts as data processor on our behalf to help us comply with our legal obligations. Verification of your identity may be carried out by our partners who provide you with a platform or application through which you can access Paynetics’ payment services. In these cases, Paynetics receives only the results of these checks. Sometimes Paynetics uses features developed by third parties, such as features to determine if a person captured in a video is a living person and features to compare the person in the video with the Identification documents submitted. These features assist the Paynetics team in assessing whether the person in the video is who they say they are. For this purpose, Paynetics uses the services of Amazon Web Services (AWS) or Trulioo, which act as processors on our behalf. We may also disclose your personal data to a third party when we check whether you are a politically exposed person in Bulgaria. In this case, we may use the services of providers such as Daxi Bulgaria Ltd. We may use the services of third parties to help us comply with our legal obligations to carry out ongoing monitoring in relation to measures against money laundering and terrorist financing, as well as for fraud prevention. In this regard, we may use the services of providers such as NOTOLYTIX Ltd. The data is processed only within the territory of the European Economic Area and only for the purposes of the checks we are obliged to make by law.

We also disclose your personal data to card schemes, such as Mastercard and VISA, in order to provide you with the Paynetics card and related services.

You can get acquainted with Mastercard’s personal data processing information documents at: https://www.mastercard.us/en-us/vision/corp-responsibility/commitment-to-privacy/privacy.html

You can consult VISA’s personal data processing information documents at: https://usa.visa.com/legal/global-privacy-notice.html#:~:text=We%20respect%20your%20rights%20to,via%20the%20Privacy%20Rights%20Portal.

We disclose your personal data to our service providers when this is necessary to provide our payment services, such as providers of payment processing services.

We disclose your personal data to companies supplying e-wallets, such as Google and Apple. Services such as Google Wallet and Apple Pay provide you with additional opportunities and facilities to use your card (if you have one). When you add your card (if any) to an e-wallet, we provide, with your explicit consent and at your initiative, the data necessary to add it. You can remove the card from third-party e-wallets such as Google and Apple at any time.

We may disclose your personal data to our professional advisers insofar as reasonably justified for risk management purposes, obtaining professional advice or establishing, exercising or defending legal claims, whether in legal proceedings or in administrative or out-of-court proceedings.

We may disclose your personal data when such disclosure is necessary to comply with our legal obligation, for example to state and municipal authorities with the authority to request relevant information.

Storage and destruction of personal data

The personal data we process for any purpose will not be stored longer than is necessary for that purpose.

We will store your personal data as follows:

– All documents collected and processed under the AML legislation, Measures Against Money Laundering Act and its implementing acts, including data and information for your identification, are stored for a period of 5 (five) years from the termination of the contractual relationship with you. At the written instruction of the State Agency for National Security, the storage period may be extended to a total of 7 (seven) years from the termination of the contractual relationship with you. In case of disclosure of information in case of suspicion and / or knowledge of money laundering and / or availability of funds of criminal origin, as well as in other cases where we are required by law to disclose information to the competent authorities, we store the data for 5 (five) years from the beginning of the calendar year following the year of disclosure.

– If you have not successfully passed the checks necessary to access the payment services, the data and documents submitted to us will not be stored within the time limits above, but will be retained for a short period (usually about 10 (ten) business days) only insofar as this would allow you to return to the process at a later stage. If you do not successfully complete the process within the specified short timeframe, the data and documents you have provided for verification purposes will be deleted from our systems.

– Personal data under this Policy will be stored for a period of 5 (five) years from the termination of our contractual relationship with you when it is necessary for the legitimate interests of Paynetics, its partners, representatives, employees and other third parties to protect their rights and legitimate interests. We may store your personal data for a longer period of time if this is necessary to protect the rights and legitimate interests of Paynetics, companies of its corporate group, or other persons, such as its representatives and employees, in which case your personal data will be stored until the completion of the relevant proceedings.

– personal data under this Policy may be stored for longer periods if this is Mandatory by law which is applicable to us.

Once personal data is no longer needed, we will securely destroy it.

Changes to this Policy

Paynetics may update this Policy from time to time by posting a new version on this webpage.

We will notify in an appropriate way of changes to this Policy. Therefore, you should always keep your contact details up to date.

What data protection rights you have

Your rights under the General Data Protection Regulation are:

Right to information: we provide you with information about the processing of your personal data in this Policy.

Right of access: you may request that we provide you with any personal data we hold about you, and the provision of such information will be conditional on the provision of appropriate evidence of your identity.

When you request that we provide you with your personal data, you are entitled to receive a single copy of all relevant information, free of charge. If you request further copies of such information, or if you request access to the same personal data multiple times, we may charge you a reasonable fee covering the administrative costs for providing you with such copies.

Right to rectification: you have the right to request correction of inaccurate personal data about you and, in view of the purposes of processing your personal data, to supplement incomplete personal data about you.

The right to erasure: in some cases, you have the right to request the deletion of your personal data without undue delay. These hypotheses arise when: your personal data is no longer necessary in relation to the purposes for which it was processed; you withdraw your consent to processing carried out on the basis of consent; you object to the processing when the processing is for direct marketing purposes; you object to the processing, and there are no overriding legitimate grounds for the processing; or your personal data have been unlawfully processed.

Right to restrict processing: You have the right to request restriction of the processing of your personal data in any of the following cases:

• the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of your personal data;
• the processing is unlawful and you oppose the erasure of the personal data and request instead the restriction of their use instead;
• we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.
• you have objected to processing pending verification whether the legitimate grounds on which we process your personal data override your interests.

Where processing is restricted by reason of any of the above situations, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

Where you have requested restriction of processing, we will inform you before the restriction of processing is lifted.

Right to object to processing: You have the right at any time and on grounds relating to your particular situation to object to processing of your personal data, including profiling, where it is necessary for the purposes of our legitimate interests or the legitimate interests pursued by a third party. The foregoing does not apply where such interests override your interests or fundamental rights and freedoms, or processing is necessary for the establishment, exercise or defence of legal claims.

You have the right to object to the processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).

Paynetics does not process your personal data under this Policy for direct marketing purposes.

Right to data portability: insofar as the legal basis for the processing of your personal data is the performance of a contract to which you are a party or you have taken steps to conclude a contract at your request, and this processing is carried out by automated means, you have the right to request personal data from us in a structured, accessible and machine-readable format, and transfer them to another controller without hindrance on our part, as well as receive a direct transfer from us to another controller when technically feasible. A restriction of this right exists where the transfer of the data would adversely affect the rights and freedoms of third parties.

Right not to be subject to a decision based solely on automated processing: Paynetics does not take decisions that produce legal effects concerning you or similarly significantly affect you solely on the basis of automated processing. Paynetics may use automated means to verify your identity and whether you meet the criteria for using our payment services, incl. in relation to measures against money laundering and terrorist financing, as well as to the current legislation on payment services and the General Terms and Conditions of Paynetics. Decisions are not taken entirely on the basis of automated processing, but are always subject to subsequent human assessment.

Right to lodge a complaint with a supervisory authority: if you believe that the processing of your personal data is in breach of applicable law, you have the right to lodge a complaint with a supervisory authority responsible for data protection. You can do this in the Member State of the European Economic Area where you habitually reside, have your place of work or where the alleged infringement is located. The contact details of the Bulgarian supervisory authority are, as follows:

Commission for Personal Data Protection

Address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

E-mail: kzld@cpdp.bg

Website: www.cpdp.bg

You can exercise your rights in relation to your personal data by a written request to us by email to dpo@paynetics.digital, on paper at: Sofia, 76A James Bourchier Blvd., ground floor, or in any other appropriate way, if you have been notified of such by our partner.

The deadline for Paynetics’ response is one (1) month after receipt of your request. This period may be extended by a further two months by Paynetics. In this case, Paynetics will inform you of the extension using the contact details you provide within one (1) month of receipt of the request, indicating the reasons for the delay.

Transfer of personal data outside the European Economic Area

Paynetics will not transfer your personal data processed under this Policy outside the European Economic Area.

How we take care of your personal data

Paynetics takes the utmost care to protect your information, given the nature of the services provided and the possibilities of misuse. We have appropriate technical and organizational measures in place to protect your personal data against unauthorized or illegal use and against accidental loss, damage or destruction. We have implemented strict privacy rules appropriate to the risks to you and apply different types and levels of protection, including information system protection, physical, documentary and personnel protection, and we have bound all our processors to comply with the same measures. Our partners are also bound by obligations to comply with all necessary rules and safeguards, and Paynetics carries out a detailed check of its partners with regard to the protection of personal data before entering into a contractual relationship with them.

However, you are responsible for maintaining the confidentiality of your personal identification data by keeping your identifiers for access to the payment services secret.