Date of last update: May 2024
1. Why should I read this Privacy Policy?
This Privacy Policy (‘Policy’) describes how PAYSTRAX AB and PAYSTRAX LTD (‘Paystrax’, ‘we’, ‘us’, ‘our’) collect, use, disclose, and store your personal data (‘Data’) and what statutory rights you have under applicable Data protection laws. We may amend this Policy unilaterally from time to time. Any such amendments will be effective immediately upon publication. Please visit our website at www.paystrax.com (‘Website’) regularly for the latest version of this Policy.
We process Data in accordance with applicable legislation, including the General Data Protection Regulation (2016/679) (‘GDPR’) and the applicable national Data protection laws of Lithuania and the UK.
2. Who is responsible for protecting my Data?
PAYSTRAX AB (Lithuania) or PAYSTRAX LTD (UK), depending on the specific company with which you have a relationship. Our email address: info@paystrax.com.
3. How and why do you use my Data?
3.1 Provision of our merchant acquiring services
If you are a representative of a company or business that is our current or prospective customer, we will process your Data to provide you with merchant acquiring services as described in the table below.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Contract(Art. 6(1)(b) of the GDPR) Legal obligation(Art. 6(1)(c) of the GDPR) |
Name and surname, email address, telephone number, date of birth, country of citizenship and/or country of residence, details of the company that you represent, government-issued identification number, address, profile information (such as username and password), your affiliation with the company, financial account information, information about payment transactions | Yes. If you do not provide your Data, we will not be able to provide you with our services. |
3.2 Anti-Money Laundering and Counter-Terrorist Financing
AML (Anti-Money Laundering) and CTF (Counter-Terrorist Financing) legislation necessitate due diligence, transaction monitoring, regular reviews, and fulfilment of other statutory obligations. To this end, we will need to process the Data of our clients (in rare cases, their customers), ultimate beneficiaries (UBOs), and heads of legal entities who are our clients as detailed in the table below.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Legal obligation(Art. 6(1)(c) of the GDPR) | Name and surname, bank account number, citizenship, the country which has issued identity, tax identification number, country, postal code, residential address, telephone number, e-mail address, information on your company’s business activities or information on your individual activities, transactions, information on the beneficial owner and the head of a legal entity that is our client: name, surname, personal ID number, date of birth, percentage of shares, voting rights, the country that has issued an identity document, ID information citizenship | Yes. If you do not provide your Data, we will not be able to provide you with our services. |
3.3 Processing your payments
We process the data we need to provide the so-called acquiring services to our merchants (customers) who are selling you goods and services and to carry out chargebacks when needed. This means that we receive your payment on behalf of the merchant and handle related matters around these financial transactions.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Contract(Art. 6(1)(b) of the GDPR) Legitimate interest (acquiring services and perform chargebacks)(Art. 6(1)(f) of the GDPR) |
Name, surname and chargeback information (in chargeback cases), card number (which is encrypted in accordance with PCI DSS standards), the expiry date (month and year) of your card, the amount of the transaction and the currency in which the transaction is done, the date, time and location (card issuer’s location) of the transaction., other Data our client (merchant) provides about you | Yes. If you do not provide your Data, we will not be able to process your payment |
3.4 Security and improvement of our Website
We need to keep our Website safe and smooth. Thus, please be aware that upon visiting our website, we automatically gather certain technical Data regarding your device and the use of our Website. This is a standard procedure aimed at ensuring optimal functionality and security during your browsing experience.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Legitimate interest(security and improvement of our Website)(Art. 6(1)(f) of the GDPR) | IP address, log-in information, browser type and version operating system and platform, type of device, a unique device ID, mobile network information, mobile operating system and the type of mobile browser you use, screen resolution, general information about your use of and actions on our Website | No |
3.5 Customer service
We are committed to providing support and answering any questions or complaints you might have. To effectively respond to your inquiries, it is necessary to process your Data as described below.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Consent(Art. 6(1)(a) of the GDPR) | Email address, subject of your inquiry, date of your inquiry, content of your inquiry, attachments to your inquiry, your name and (or) surname provided in your inquiry, reply to your inquiry, other information provided by you | No |
3.6 Keeping you informed and gathering your feedback about our services
When you used PAYSTRAX’s services, consent to receive marketing communications from us, or in situations where we have a legitimate interest in informing you about our services, we will process your Data as outlined below.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Consent (Article 6(1)(a) of the GDPR) Customer relationship(Article 81(2) of the Law on Electronic Communications of Lithuania) Legitimate interest(direct marketing)(Article 6(1)(f) of the GDPR) |
Name, surname, email address, telephone number, preferences for receiving marketing communications and details about how you engage with our marketing communications | No |
3.7 Recruitment
When you apply for a position at our company or when we reach out to you regarding a job opportunity, we process your Data as part of the recruitment process as describe below.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Consent(Art. 6(1)(a) of the GDPR) Legitimate interest (selection of employees)(Art. 6(1)(f) of the GDPR) |
Full name, e-mail, phone number, CV, work experience, other information you provide us with | No |
3.8 Administration of our social media profiles
By engaging with us through messaging, following our pages, or interacting with our posts on social media, your Data will be processed as outlined in the table below.
| Legal basis for the processing | The categories of Data concerned |
Is the provision of Data a requirement? |
| Consent(Art. 6(1)(a) of the GDPR) | Name and surname provided in your social media profile, email address, messages, message information, attachments, comments, shares, reactions, other interactions, other Data provided | No |
3.9 Fulfilment of statutory duties and the establishment, exercise, or defence of legal claims
If you enter into a contract with us, we’ll keep your data for as long as the law requires. This helps us protect our legal rights, just in case. We also need to hold onto some of your information for legal stuff like accounting and record-keeping. And, on the off chance you’re involved in a legal case where we’re also a party, we’ll use your data specifically for that case.
|
Legal basis for the processing |
The categories of Data concerned |
Is the provision of Data a requirement? |
| Legal obligation(Article 6(1)(c) of the GDPR) Our legitimate interest to defend our rights and interests(Article 6(1)(f) of the GDPR) |
All of the above information, legal documents, procedural documents, annexes, court documents, investigation information, criminal convictions and offenses, other data provided. | When processing your data is required under applicable laws, providing this data becomes a legal necessity. If you are unable to provide this data, unfortunately, we will not be in a position to offer our services to you. |
4. How long do you store my Data?
We will not retain your Data longer than necessary for the purposes of processing, except as required by law, which may mandate a longer retention period:
- We store copies of documents confirming the identity of the client, g. copies of customer’s identity documents, beneficiary identity data, documentation of accounts and/or agreements, and other data related to the customer application and due diligence process for 8 years from the date of the end of business relations with the client.
- We store correspondence of business relations with the client for 5 years from the date of the end of the business relations with the client.
- We store records of monetary transactions, e.g. documents, data, and other legally valid information relating to the execution of monetary transactions or confirming a monetary transaction for 8 years from the date of the execution of the monetary transaction.
- We will use your Data for marketing purposes as long as you are our customer or have given us consent, and 3 years thereafter, unless you inform us that you no longer wish to receive such information from us.
- For managing our recruiting and processing employment applications we will retain the Data that we have obtained via our recruitment processes for as long as necessary to evaluate the application and in accordance with all relevant laws and regulations. Furthermore, we may ask for your consent to retain your Data for some time after we have evaluated your application.
- We will retain Data necessary for the protection of our legal interests for 10 years.
- Other Data will be kept for 3 years from the date of your last activity on your account or any other active engagement.
5. Where do you collect my information from?
We collect most of the information from you. In addition, for certain purposes, we may receive information from other sources, as explained below.
|
Information source |
Purpose of collecting information |
| PAYSTRAX group | To operate our business |
| Merchants | To provide our services |
| Registers of legal entities | To comply with applicable legislation |
| Social media service providers | To manage our social media profiles |
| HR service providers | To carry out the selection of potential employees |
| Publicly accessible government lists of restricted or sanctioned persons (such as the Specially Designated Nationals And Blocked Persons List), or politically exposed persons lists | To ensure compliance with the AML, CTF, Sanctions regulations and fraud prevention |
| Public records databases (such as company registries and regulatory filings) and other publicly accessible data | To ensure compliance with the AML, CTF regulations and fraud prevention |
| We and or our third-party verification providers may also collect information from private or commercially available sources, such as by requesting reports or information from credit bureaus and/or fraud prevention agencies, to the extent permitted under applicable law | To ensure compliance with the AML, CTF regulations and fraud prevention |
6. Who do you share my Data with?
Where necessary for the purposes set out above and subject to applicable laws, we share Data with the following Data recipients:
- Between PAYSTRAX AB and PAYSTRAX LTD.
- iDenfy (identity check service provider).
- ACI
- Participants in the transaction processing chain (merchants, banks or other card issuers, card associations).
- Credit reference, fraud protection, risk management, and identity and verification agencies.
- Professional advisors (lawyers, bankers, auditors, and insurers).
- Other service providers (customer support, hosting, communication, social media, website development and maintenance, payment processing service providers).
- State institutions, supervisory authorities, law enforcement authorities, and courts.
- Other third parties, subject to your consent or as required to fulfil contractual obligations.
Where we transfer Data outside the European Economic Area or the UK, we rely on a decision recognising that the relevant third country, territory or one or more specified sectors within that third country or relevant international organisation provides an adequate level of protection for the protection of Data. In the absence of the above decision, we may transfer the Data to a third country or international organisation if we have put in place appropriate safeguards (for example, if we have signed the Standard Data Protection Clauses (Article 46(2)(c) of the GDPR). If no adequacy decision has been made or no adequate safeguards have been established, we will transfer the Data if one of the exceptions provided for in Article 49 of the GDPR applies (e.g., we have your explicit consent).
7. What are my rights?
We have a legal obligation to ensure that your Data is kept accurate and up to date. We kindly ask you to assist us in complying with this obligation by ensuring that you inform us of any changes that have to be made to any of your Data that we are processing.
You may, at any time, exercise the following rights with respect to our processing of your Data:
- Right to access. You are entitled to ask us if we are processing your Data and, if so, for a copy of the Data we hold about you, as well as obtain certain other information about our processing activities.
- Right to rectification. If any Data we hold about you is incomplete or inaccurate, you can require us to correct it.
- Right to erasure. This enables you to ask us to delete Data where there is no good reason for us to continue to process it. You also have the right to ask us to delete or remove your Data where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your Data to comply with local law.
- Right to object. Where our reason for processing your Data is legitimate interest you may object to the processing. You also have the right to object where we are processing your Data for direct marketing purposes.
- Right to withdraw consent. Where our reason for processing is based on your consent, you may withdraw that consent at any time. If you withdraw your consent, we may not be able to provide certain services to you.
- Right to the restriction of processing of your Data. You can contact us with a request to restrict the processing of your Data, except for storage, if one of the following applies:
- you contest the accuracy of the Data for a period enabling us to verify the accuracy of the Data;
- the processing of your Data is unlawful, and you oppose the erasure of your Data and request the restriction of their use instead;
- the Data are no longer necessary in relation to the purposes for which they were collected, but they are required by you for the establishment, exercise, or defence of legal claims;
- you have objected to processing pending the verification whether our legitimate grounds override your legitimate grounds. It is possible that due to the restriction of processing of Data and during the period of such restriction we will not be able to ensure the provision of services to you.
- Right to portability of your Data. You can contact us with a request to receive Data concerning you which you have provided to us in a structured, commonly used and machine-readable format, also you can submit a request for us to transmit your Data to another controller to the extent this is technically possible and when:
- the processing of your Data is based on your consent or performance of an agreement concluded with you; and
- the processing of your Data is carried out by automated means.
- Opt-out from marketing. We will also allow you to opt-out of our communication with you whenever we send you information about Paystrax or any other information that we believe may be of interest to you. Additionally, you can also opt-out at any time by contacting us.
- Right to file a complaint regarding the processing of Data. You have a right to file a complaint with the respective supervisory authority (Lithuanian or UK).
8. Do you engage in automated individual decision-making, including profiling?
No, we do not make decisions based solely on automated processing, including profiling, which would produce legal effects concerning you.
9. Cookies used to process your Data
9.1 What are Cookies?
A cookie is a small file (usually less than 1 kB), typically of letters and numbers, downloaded on to a device such as a computer or mobile device when you access our website. For more information about cookies or local storage, including how to see what cookies have been set and how to manage, block and delete them, see: http://www.allaboutcookies.org/.
9.2 How can I control Cookies?
You can control and/or delete cookies as you wish via browser settings. You can delete all cookies that are already on your computer, and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site, and some services and functionalities may not work.
These cookie settings are usually found in the ‘options’ or ‘preferences’ menu of your internet browser. To understand these settings, the following links may be helpful. Otherwise, you should use the ‘Help’ option in your internet browser for more details.
9.3 What are the types of Cookies you use?
PAYSTRAX may use the following cookies:
Types of Cookies
First and third-party cookies: whether a cookie is ‘first’ or ‘third’ party refers to the domain placing the cookie. First-party cookies are those set by a website that is being visited by the user at the time.
Third-party cookies are cookies that are set by a domain other than that of the website being visited by the user. If a user visits a website and another entity sets a cookie through that website, this would be a third-party cookie.
Duration of Cookies
Session cookies – these cookies allow website operators to link the actions of a user during a browser session. A browser session starts when a user opens the browser window and finishes when they close the browser window. Session cookies are created temporarily. Once you close the browser, all session cookies are deleted.
Persistent cookies – these cookies remain on a user’s device for the period of time specified in the cookie. They are activated each time that the user visits the website that created that particular cookie.
List of cookies used on our Website
|
Cookie |
Category | Purpose | Type | Duration |
Expiration |
| viewed_cookie_policy | Necessary | Show / hide the cookie warning | First-party cookie | Persistent | Expires in 1 (one) year |
| wfwaf-authcookie-(hash) | Protection | This cookie is used by the Wordfence firewall to perform a capability check of the current user before WordPress has been loaded. | First-party cookie | Persistent | Expires in 1 (one) day |
| wordpress_logged_in_[hash] | Protection | After login, WordPress sets the cookie, which indicates when you’re logged in, and who you are, for most interface use. | First-party cookie | Session | When the browsing session ends |
| wp-settings-{time}-[UID] | Other | WordPress sets a few settings cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. | First-party cookie | Persistent | Expires after 1 (one) year |
| wordpress_sec_{id} | Other | Used to save options in plugins and admin paths. | First-party cookie | Session | When the browsing session ends |
| wp-settings-time-[UID] | Other | The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. | First-party cookie | Persistent | Expires in 1 (one) year |
| wp-settings-[UID] | Other | WordPress also sets a few wp-settings-[UID] cookies. The number on the end is your individual user ID from the users database table. This is used to customize your view of admin interface, and possibly also the main site interface. | First-party cookie | Persistent | Expires in 1 (one) year |
| cookielawinfo-checkbox-performance | Performance | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Performance”. | Third-party cookie | Persistent | Expires in 1 (one) year |
| cookielawinfo-checkbox-others | Other | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Other. | Third-party cookie | Persistent | Expires in 1 (one) year |
| cookielawinfo-checkbox-necessary | Necessary | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category “Necessary”. | Third-party cookie | Persistent | Expires in 1 (one) year |
| cookielawinfo-checkbox-analytics | Analytics | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category “Analytics”. | Third-party cookie | Persistent | Expires in 1 (one) year |
| cookielawinfo-checkbox-advertisement | Advertisement | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the “Advertisement” category . | Third-party cookie | Persistent | Expires in 1 (one) year |
| viewed_cookie_policy | Other | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. | Third-party cookie | Persistent | Expires in 1 (one) year |
| CookieLawInfoConsent | Other | Records the default button state of the corresponding category along with the status of CCPA. It works only in coordination with the primary cookie, viewed_cookie_policy. Contain values of both viewed_cookie_policy and cookielawinfo-checkbox-necessary/cookielawinfo-checkbox-non-necessary along with CCPA values. | Third-party cookie | Persistent | Expires in 1 (one) year |
| mtv1Pulse | Protection | service.mtcaptcha.com Cookies needed for reCAPTCHA service | Third-party cookie | Session | When the browsing session ends |
| jsV | Protection | service.mtcaptcha.com Cookies needed for reCAPTCHA service | Third-party cookie | Session | When the browsing session ends |
| mtv1ConfSum | Protection | service.mtcaptcha.com Cookies needed for reCAPTCHA service | Third-party cookie | Session | When the browsing session ends |
10. How do I submit a request / contact your DPOs?
If you have any questions concerning PAYSTRAX processing of personal data, you can reach us by email customersupport@paystrax.com
PAYSTRAX has appointed Data Protection Officer who can be reached by dpo@paystrax.com
11. Can this Policy be amended?
We update this Policy from time to time.
Last update date: May 2024