Privacy Policy image

Privacy Policy

1. Purpose and Scope

1.1. UAB “Paywho” (hereinafter referred to as we, us, Paywho, Company) is an electronic money institution licensed by the Bank of Lithuania, incorporated and conducting its business in the Republic of Lithuania, legal entity code 305540551, having its registered office at J. Basanavičiaus g. 26, Vilnius, the Republic of Lithuania.

1.2. All personal data collected by us is processed in accordance with the EU General Data Protection Regulation No. 2016/679 (GDPR), Law on the Legal Protection of Personal Data of the Republic of Lithuania and other applicable legal acts.

1.3. In this Privacy policy (hereinafter referred to as the Policy) we provide you with explanation on what kind of personal data we collect when providing you with our services (hereinafter referred to as the Services).

1.4. When referring to ‘you’, we mean you as – a potential, existing or former Customer, our Customer’s employee or other parties, such as our Customer’s beneficial owners, authorised representatives, business partners, our merchant’s customers, other associated parties or a person contacting us by e–mail or using other communication means. The processing of personal data of Applicants for vacancies with the Company is explained in Applicant’s privacy policy. Personal data of Company’s Employees is explained in Employment agreements and other internal documents of the Company.

2. Principles Relating to Processing of Personal Data

2.1. We are responsible for ensuring security of your personal data made available to us, in particular to prevent unauthorized access to your data. We are also responsible for ensuring all users of our Services with the opportunity to benefit from their rights regarding their own personal data.

2.2. When processing personal data, we follow the principles of:

2.2.1. legality, fairness and transparency;

2.2.2. purpose limitation;

2.2.3. data minimisation;

2.2.4. accuracy;

2.2.5. storage limitation;

2.2.6. integrity and confidentiality;

2.2.7. accountability.

3. What Information We Collect, for what Purposes and on what Legal Basis

3.1 Categories of personal data being processed

The personal data we collect can be grouped into the following categories:

Type of informationPersonal data
1. Basic personal dataFirst, last, middle, maiden names, job title, etc.
2. Identification information and other background verification data
(your, or your representatives’ and, ultimate beneficiary owner’s)
Name, surname, personal identity code, date of birth, any other unique sequence of symbols granted to you, intended for personal identification, country of birth, address, nationality (in the case of a stateless person – the state which issued the identity document), citizenship, gender, copy of passport or ID card, residence permit or other acceptable document for identification of person indicated by the legislation and its details (e. g., type, number, place and date of issuance, expiry date, MRZ code, signature), evidence of beneficial ownership, the source of funds (funds for account opening or transactions), occupation/employment/position held/other relationship status (e. g. outsourcing), source of wealth (information on how wealth was obtained), tax information (tax residence, tax identification number), number of shares held, voting rights or part of share capital, title, visually scanned or photographed image of your face or image that you provide through a mobile or desktop camera while using our identification application, video and audio recordings for identification and any other information that might be requested and further processed by us in order to comply with the requirements of regulations on Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT).
3. Monetary operations detailsSuch as currency and amount location, date and time of the transaction, name of the payer, payer’s payment account number, payer’s address, official personal document number, customer identification number or date and place of birth, IP address of payer or person initiating transaction on behalf of the payer, the name of the payee, payee’s payment account number or unique transaction identifier, indicated purpose of the transaction, messages, documents and information accompanying the transfer of funds, number of transactions and their expected value, as well as any other information that might be requested and further processed by us in order to comply with the requirements of regulations on Transfer of Funds and AML/CFT.
4. Details of your activities in your account on our mobile applicationHistory of the actions performed in your account on our mobile application, technical information, including the internet protocol (IP) address used to connect your computer to the internet, your log-in information (e.g., login time), browser type and version, time-zone setting, operating system and platform, type of device you use, unique device identifier.
5. Details of your activities on our websiteHistory of the actions performed on our website, technical information, including the internet protocol (IP) address used to connect your computer to the internet, time zone setting, operating system and platform.
6. Details of your existing payment accountsFinancial institution account number, IBAN number, payment card number.
7. Information related to legal requirementsData resulting from enquiries made by the authorities, data that enables us to comply with AML/CFT requirements and ensure the compliance with international sanctions, including the purpose of the business relationship, whether you are a politically exposed person/immediate family member of a politically exposed person/ close associate of a politically exposed person (country, place of work, position, entrustment start/end date, prominent public functions) and other data that is required to be processed by us in order to comply with the legal obligation to “Know Your Customer” (KYC) (collected data will differ depending on the customer’s risk score).
8. Contact detailsPhone number, e-mail, residential/business address (country, municipality, city, street, house, apartment no.), names and last names of representatives.
9. Special category dataBiometric data.

3.2 Purposes and legal basis for personal data processing

PurposeLegal basisCategories of personal data
1. To conclude the contract with you, or to take steps at your request prior to entering into a contract• Taking necessary steps before conclusion of the contract and/or for conclusion of the contract;
• Legal obligations.
• Basic personal data;
• Identification and other background verification data;
• Monetary operations details;
• Details of your existing payment accounts;
• Information related to legal requirements;
• Contact details;
• Special category data.
2. To perform the contract concluded with you, including (but not limited to) provision of the Services• Performance of the contract;
• Legal obligations.
• Basic personal data;
• Identification and other background verification data;
• Monetary operation details;
• Details of your activities in your account on our mobile application;
• Details of your existing bank account/-s;
• Information related to legal requirements;
• Details of your existing payment accounts;
• Information related to legal requirements;
• Contact details;
• Special category data.
3. To comply with legal obligations (e.g., implementation of the obligations under the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania (hereinafter referred to as AML Law) and other fraud and crime prevention purposes), risk management and complaints handling obligations.• Legal obligations• Basic personal data;
• Identification and other background verification data;
• Monetary operation details;
• Details of your activities in your account on our mobile application;
• Details of your existing payment accounts;
• Information related to legal requirements;
• Contact details;
• Special category data.
4. To identify you remotely• Your consent;
• Legal obligation.
• Identification information and other background verification data (your, or your representatives’ and, ultimate beneficiary owner’s);
• Special category data.
5. To prevent, limit and investigate any misuse or unlawful use or disturbance of the Services or to establish, exercising and defend legal claims• Performance of the contract;
• Legitimate interest;
• Legal obligations.
• Basic personal data;
• Identification and other background verification data;
• Monetary operation details;
• Details of your activities in your account on our mobile application;
• Details of your activities on our website;
• Details of your existing payment accounts;
• Information related to legal requirements;
• Contact details;
• Special category data.
6. To ensure adequate provisions of the Services, the safety of information within the Services, as well as to improve, develop and maintain applications, technical systems and IT-infrastructure or our legitimate business interests, such as enabling us to improve and deliver a better and more personalized service• Legitimate interest.• Basic personal data;
• Contact details;
• Details of your activities in your account on our mobile application;
• Details of your activities on our website;
• Other personal data needed (in order to evaluate the possibility of providing our Services).
7. To provide an answer when you contact us via our website or other communication means• Your consent.• Basic personal data;
• Contact details;
• Other personal data you have submitted with your request.
8. To perform the contract with our merchant’s clients• Performance of a contract;
• Legal obligation;
• Legitimate interest.
• Basic personal data;
• Details of your existing payment account/-s;
• Monetary operations details.

3.3. We do not process special category data related to your health, ethnicity, or religious or political beliefs unless required by law or in specific circumstances where, for example, you reveal such data while using the Services (e. g., in transaction related details).

3.4. If you provide us personal data about other people (such as your spouse or family) or you ask us to share their personal data with third parties, you confirm that you have brought this Policy to their attention beforehand.

4. How We Collect Your Personal Data

4.1. We collect information you provide directly to us when you:

4.1.1. fill out any forms on our mobile application;

4.1.2. open an account, submit information prior to entering into Service agreement with us or use any of our Services;

4.1.3. contact us via our website or by using other means of communication (e.g., via our social network accounts);

4.1.4. use merchant’s services.

4.2. We may also receive your personal data from third parties. In particular:

4.2.1. we may receive personal data from third parties such as public or private registers and databases. This includes information to help us check your identity, if applicable, information about your spouse and family, and information relating to your transactions;

4.2.2. occasionally we will use publicly available information about you from publicly available sources (e. g., media, online registers and directories) and websites for KYC and due diligence checks, security searches and other purposes related to KYC and due diligence processes;

4.2.3. we may receive personal data from a third party which is connected to you or is dealing with us, for example, business partners, sub–contractors, service providers, merchants and etc.;

4.2.4. we may receive personal data from banks or other financial institutions in case the personal data is received while executing payment operations;

4.2.5. we may receive personal data from other entities which we collaborate with or state authorities that will contact us.

5. Our Identification Tools

5.1. In order to perform your identity verification, we use the services provided by our partner UAB “Ondato” (hereinafter – Ondato). The Service Provider takes the photo images and/or video recordings of your face and your ID document that you provide through a mobile application or a dedicated website using the camera. For more information on Ondato and data processed by Ondato, please check: https://ondato.com.

5.2. Ondato solution is used for comparing live photographic data or video record of you and your ID document, to comply with legal obligations (e.g., implementation of the obligations under the AML Law and other fraud and crime prevention purposes) and risk management obligations.

5.3. The result of the face similarity (match or mismatch) will be retained for as long as it is necessary to carry out verification and for the period required by AML/CFT regulations laws.

5.4. We ensure that your face similarity check is a process of comparing data acquired at the time of verification, i. e., this is a one-time user authorization by comparing person’s photos to each other. Your facial template is not created, recorded or stored. It is not possible to regenerate the raw data from retained information.

5.5. Using Ondato services, personal data is used for your identification, since Ondato verifies the identity of the person in the identity document and the person captured in the photo. This process shall allow us to verify your identity more precisely and make the process quicker and easier to execute. If you do not feel comfortable with this identification method, you may contact us by e-mail at [cs.eu@paywho.com] for an alternative way to identify you.

6. Direct Marketing

6.1. In case you are an existing Customer (i. e., you already use our Services), we may use your e-mail address, obtained in line with the provisions of GDPR, for direct marketing purposes of our products and services that are similar the Services you are already using, and only if you had not objected to such use of your e-mail address upon receipt of each of such e-mails. You are also granted with a clear, free of charge and easily enforceable possibility to object or withdraw from such use of your contact details. We shall state in each notification sent by e-mail that you are entitled to object to the processing of the personal data, and to refuse receiving messages from us. You shall be able to refuse to receiving our marketing messages by clicking on the respective link in each marketing e-mail or notification received from us.

6.2. In other cases, we may use your personal data for the purpose of direct marketing, only if you give us your prior consent regarding such use of the data.

6.3. We are entitled to offer the services provided by our business partners or other third parties to you or find out your opinion on different matters in relation to our business partners or other third parties taking account of the legal basis for this, i.e., your prior consent.

6.4. In case you do not agree to receive these marketing messages offered by us, our business partners or third parties, this will not have any impact on the provision of Services to you as the Customer.

6.5. We provide a clear, free-of-charge and easily enforceable possibility not to give your consent or, at any time, to withdraw your consent to receive our marketing messages. We shall state in each notification sent by e-mail or our mobile application that you are entitled to object to the processing of the personal data, and to refuse receiving messages from us. You shall be able to refuse to receiving our marketing messages by clicking on the respective link in each marketing e-mail or notification received from us.

7. Automated Decision Making

7.1. In some cases, we may use automated decision-making which refers to a decision taken solely on the basis of automated processing of your personal data.

7.2. Automated decision-making refers to the processing using, for example, a software code or an algorithm, which does not require human intervention.

7.3. We may use forms of automated decision making on processing your personal data for some services and products. You can request a manual review of the accuracy of an automated decision in case you are not satisfied with it.

7.4. For more information about your rights please see the section Your rights.

8. How We Share Your Personal Data

8.1. We may disclose your personal information to the recipients of the following categories:

8.1.1. public authorities, institutions, courts and other law-enforcement and supervisory institutions, other third parties, but only upon request and only when required by applicable laws, or in cases and under procedures provided for by applicable laws;

8.1.2. third parties providing services to the Company including providers of legal, financial, auditing, tax, business management, personnel administration, accounting, advertising (including online advertising), direct marketing, communications, data centres, hosting, cloud and/or other services. In each case, we provide such third parties with only as much data as necessary to provide their services. Service providers engaged by us may process your personal data only in accordance with our instructions indicated in respective Data Processing Agreement and may not use them for any other purposes;

8.1.3. third parties for the purpose of performance of the contract concluded with you;

8.1.4. our affiliate companies – i. e., companies belonging to the same group. In each case, we provide such companies with only as much data as necessary to comply with the respective regulations and/or subject to provisions of contract concluded with such company. Our affiliate companies may process your personal data only in accordance with our instructions and may not use them for any other purposes indicated in respective Data Processing Agreement and/or strictly in line with the respective legislation;

8.1.5. third parties, when we intend to enter into a business wholesale transaction and/or to perform legal and/or financial due diligence of us prior to such transaction;

8.1.6. other persons in case your prior consent was obtained.

9. International Transfer of Personal Data

9.1. In case your personal data is transferred outside the European Economic Area (EEA), we will take necessary steps to ensure that your data is processed securely and in accordance with this Policy and we will ensure that it is protected and transferred in a manner consistent with the legal requirements applicable. This can be done in a number of different ways, for example:

9.1.1. the country to which we send the personal data, a territory or one or more specified sectors within that third country, or the international organization is approved by the European Commission as having an adequate level of protection;

9.1.2. the recipient has signed or contains in its terms of service (service agreement) standard contractual clauses adopted by the European Commission;

9.1.3. special permission has been obtained from the State Data Protection Inspectorate of the Republic of Lithuania (hereinafter referred to as Supervisory authority).

9.2. We may transfer personal data to a third country by taking other measures if it ensures appropriate safeguards as indicated in the GDPR or on the basis of derogations.

10. How We Protect Your Personal Data

10.1. Please note that, although no system of technology is completely secure, we have to implement appropriate security measures in order to minimize the risks of unauthorized access to or improper use of your personal information.

10.2. Our third-party service providers and us may be engaged in the processing of personal data on our behalf (for the purposes indicated above) are contractually obligated to respect the confidentiality of the personal data.

10.3. A variety of logical and physical security measures are used to keep your personal data safe and prevent unauthorized access, usage, or disclosure of it (the list indicated below is not exhaustive): we use antivirus software, access control policies, we review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems, we use data encryption, etc.

11. How Long We Keep Your Personal Data

11.1. We will keep your personal data for as long as it is needed for the purposes for which your data was collected and processed, including for the purposes to comply with any legal, regulatory, tax, accounting or reporting obligations. This means that we store your data for as long as it is necessary for provision of the Services and as required by the retention requirements in laws and regulations. If the legislation does not provide any applicable data retention period, it shall be determined by us, taking into account the legitimate purpose of the data retention, the legal basis and the principles of lawful processing of personal data.

11.2. The terms of data retention of the personal data for the purposes of the processing of the personal data as specified in this Policy are as follows:

11.2.1. as long as your consent remains in force, if there are no other legal requirements which shall be fulfilled with regard to the personal data processing;

11.2.2. in case of the conclusion and execution of contracts – until the contract concluded between you and us remains in force and up to 10 years after the relationship between you and us has ended;

11.2.3. the personal data collected and otherwise processed for the implementation of the obligations under the AML Law shall be stored for up to 8 (eight) years from the date of the execution of transactions and or termination of transactions or business relations with the Customer. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority;

11.2.4. the personal data submitted by you through our website or via e-mail is kept for an extent necessary for the fulfilment of your request and to maintain further cooperation, but no longer than 6 months after the last day of the communication, if there are no legal requirements to keep them longer (e. g. (i) based on AML Law, all the personal data submitted by you during the process of correspondence with you as our Customer (correspondence on business relationships), shall be stored for 5 (five) years from the date of termination of transactions or business relations with the Customer. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority; (ii) based on the Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania, personal data, that was collected during the handling of the complaint shall be stored for 5 (five) years from the date of dispatch of final reply to the complainant; unless AML Law or other legal acts should request to keep this information longer).

11.2.5. In cases when the terms of data retention are indicated in other respective regulations, terms indicated in such regulations shall be applied.

11.3. We may retain your personal data for a longer period when:

11.3.1. it is necessary in order for us to defend ourselves against existing or threatened claims, or to exercise our rights, or for the proper resolution of dispute, complaint or claim;

11.3.2. there is a reasonable suspicion of illegal activity;

11.3.3. it is required by applicable laws.

11.4. Upon expiration of the retention period, we will delete your data as soon as possible, within a reasonable time required to perform such action.

12. Your Rights

12.1. The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data.

12.2. The right to access. You have the right to obtain from us the confirmation as to whether your personal data is being processed and request from us the copies of your personal data. Where your requests are excessive, in particular if they are being sent with a repetitive character, we may refuse to act on the request, or charge a reasonable fee taking into account the administrative costs for providing the information. The assessment of the excessiveness of the request will be made by us.

12.3. The right to rectification. You have the right to request us to correct, update or complete your personal data at any time, in particular if your personal data is incomplete, incorrect or otherwise inaccurate.

12.4. The right to be forgotten. When there is no legal ground for us to process your personal data anymore, you can ask us to delete your data. We will take reasonable steps to respond to your request. If your personal data is no longer necessary and we have neither legal authorisation nor legal obligation to retain it, we will erase it.

12.5. The right to restrict processing. You have the right to restrict the processing of your personal data in certain situations provided for the legislation (e. g. you want us to investigate whether your personal data processed by us is accurate; we no longer need your personal data, but you want us to continue to hold it for you in connection with a legal claim). In this case your personal data shall, with the exception of storage, be processed by us only with your consent or for the establishment, exercise or defence of legal claims or for the protection or the rights of third parties or for reasons of important public interest of EU or its Member State(s).

12.6. The right to data portability. Subject to conditions indicated by the regulations, you shall have the right to request that we transfer the data that you have provided to us to another data controller where its technically feasible or directly to you for further transfer to other data controller.

12.7. The right to object processing. Subject to conditions indicated by the regulations, you shall have the right to object to certain types of processing (e. g. receiving notifications/direct marketing emails). However, if you object to us using personal data which we need in order to provide our Services, we may need to close your payment account as we will not be able to provide the Services.

12.8. Right to withdraw your consent. If you have given us consent that we need in order to process your personal data, you can withdraw your consent at any time. Use of your personal data up to the point when you withdrew your permission shall be considered lawful.

12.9. Rights related to automated decision-making. You have the right not to be subject to a decision which is based solely on automated processing and which produces legal or other significant effects on you, unless it is necessary for entering into, or performance of, a contract based on which Services are provided to you. In any case you shall have the right to at least:

12.9.1. obtain our human intervention;

12.10. to express your point of view;

12.11. contest the decision made.

12.12. The right to file a complaint with a Supervisory authority. You have the right to file a complaint directly to Supervisory authority if you believe that the personal data is processed in a way that violates your rights and legitimate interests stipulated by applicable legislation. You may apply in accordance with the procedures for handling complaints that are established by Supervisory authority which may be found on its official website here: https://vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas.

12.13. If you would like to exercise any of these rights, please contact us via e-mail: [dpo.eu@paywho.com]. For security reasons, we will not be able to process your request if we are not sure of your identity, so we may ask for your ID as proof or otherwise proceed with verification of your identity. Please note, that anonymous complaints, requests, etc. shall not be handled.

12.14. Your requests will be fulfilled, or fulfilment of your requests will be refused by specifying the reasons for such refusal, within 1 (one) month from the date of receipt of the request. The afore-mentioned time frame may be extended for 2 (two) further months where necessary, taking into account the complexity and number of the requests. We shall inform you of any such extension within 1 (one) month of receipt of the request, together with the reasons for the delay.

12.15. We may refuse to satisfy you request if the exception and/or limitation to the exercise of data subjects’ right set out in the GDPR apply, and/or if your request is found to be manifestly unfounded or disproportionate. If we refuse to satisfy your request, we will give you our reason for such refusal in writing within the terms indicated in 12.14 above and explain the possibility of lodging a complaint with Supervisory authority and seeking judicial remedy.

12.16. We shall handle your requests/complaints free of charge. However, in cases where your requests shall be manifestly unfounded or excessive, in particular because of their repetitive character, we shall have the right at our sole discretion to:

12.16.1. either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or

12.16.2. refuse to act on the request.

13. Links To Other Websites

13.1. Our website may contain links to other websites which are not operated by the Company. When you decide to click on these links and be led to such websites, we recommend familiarising yourself with their privacy policies or notices, cookie policies and/or other documents. The Company assumes no responsibility for the content, policies or practices of such third-party websites or services.

14. Changes To This Policy

14.1. We review this Policy on a regular basis and reserve the right to modify it at any time in accordance with applicable laws and regulations. Any changes will take effect immediately upon their publication on our website.

14.2. Please review this Policy from time to time to stay updated regarding any changes.

15. Contact Us

15.1. You may contact us by writing an e-mail to [cs.eu@paywho.com].

16. Our Data Protection Officer

16.1. Our Data Protection Officer (DPO) continuously monitors our privacy compliance and communicates with us on data protection matters relevant to the provision of our Services. You may contact our DPO regarding all issues relating to our Company’s processing of your personal data and the exercise of your data protection rights by sending an email to the address: dpo.eu@paywho.com.

17. Miscellaneous

17.1. The Policy shall be approved by the Management Board of the Company and revised annually or on an ad hoc basis due to changes in the legislation, launching of the new/specific group of Customers, communication channels, products, services, implementation of new IT solutions, other trigger events.

17.2. Management Board shall be responsible for the implementation of this Policy and monitoring compliance with it, its periodic review and efficiency assessment.

17.3. DPO shall be responsible for timely revision of this Policy and making sure that all employees and directors of the Company are familiar with it and its following amendments/revisions.

17.4. DPO, based on the results of analysis of data subjects’ requests/complaints might either prepare and conduct specific learnings on Data Privacy/its specific topics/topics related to Data Privacy (for instance, efficient conflict resolution, enhanced learnings on specific compliance requirements, etc.) and/or advice the Management Board to organize such learnings internally/externally as part of corrective/risk mitigating measures.

17.5. The Policy is applicable and shall be adhered to by all employees and directors of the Company and shall be made available to them through adequate internal channel or other safe electronic means of communication.