Paynetics Privacy Policy

If you are an EU/EEA resident, the Privacy Policy specified in section A. Privacy Policy of Paynetics AD (EU/EEA Residents) shall apply to the processing of your personal data in relation to your Account, Card and any other associated services provided to you by Paynetics AD. By clicking the relevant box you confirm that you have read the Privacy Policy.

If you are a UK resident, the terms and conditions specified in section B. Privacy Policy of Paynetics UK (UK Residents) shall apply to the processing of your personal data in relation to your Account, Card and any other associated services provided to you by Paynetics UK Limited. By clicking the relevant box you confirm that you have read the Privacy Policy.

1. Privacy Policy of Paynetics AD (EU/EEA Residents)
   
   This privacy policy will describe the way Paynetics collect, store and use your personal information regarding the mobile application MyMonty and Paynetics card as well as the purposes for their collection and the grounds of their collection and processing including the rights of the personal data subjects with regard to Regulation (EU) 2016/679 of the European Parliament and the Council from 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive).
   
   Definitions “Functionalities” – means all services which MyMonty app offers, and which are explained in detail in our Terms of Service
   
   "MyMonty app" means the application, through which Monty Finance UK Ltd, with seat and management address: Bridge House, 181 Queen Victoria Street, London, United Kingdom, EC4V 4EG, provides you certain services via its mobile application which you may download for free from Google Play Store and/or App Store and which, when installed in your mobile device, allows you to execute defined payment functionalities which are explained in detail in our Terms of Service.
   
   "Paynetics” means "Paynetics AD", with seat and management address: Sofia, Sofia Municipality, commune of Losenets, 76-A, James Bourchier Blvd., ground floor, entered in the Commercial Register and Register of Non-Profit Legal Entities maintained by the Registry Agency under UIN No. 31574695. Paynetics AD is a company for e-money, holder of a license for performing activity as e-money company, issued by the Governing board of Bulgarian National Bank with Decision № 44 from 11 April 2016 and is entered into the register kept by Bulgarian National Bank which may be found here. Bulgarian National Bank performs supervision on the activity of "Paynetics" AD. "Paynetics" AD is registered as an administrator of personal data with Certificate № 3721 / 25.01.2015 in the Commission for Personal Data Protection.
   
   "Phyre" means "Phyre AD" - company registered in Republic of Bulgaria with UIN No. 203617076 which technically maintains and exploits MyMonty App. Phyre provides services as a provider of technical services supporting the provision of payment services without assuming possession of the funds which should be transferred, including through processing and storage of data, the authenticity of the data and the object, the information technologies and the communication network, procurement, provision and maintenance of terminals and devices used for payment services, excluding the services for initiation of payments and information services on accounts. Phyre processes your personal data as a Paynetics processor.
   
   "Paynetics" or “we”, ”our or “us” is the administrator of your personal data. “Phyre” is the processor of your personal data for the purposes of the MyMonty App. Monty Finance UK Ltd is a data processor for Paynetics in relation to the customer support.
   
   This policy represents an important document. We recommend that you read it carefully, print it out and keep a copy for further reference.
   
   How to contact us
   
   In case you have questions regarding the way we collect, store and use your personal information or want a copy of the information we keep for you, please contact us by:
   
   writing to the designated personal data officer in Paynetics at address: 76, "James Bourchier" Blvd,
   
   1407 - Sofia, Bulgaria; or by sending us a message at: dpo@paynetics.digital
   
   In case you do not want to receive marketing messages which you told us previously that you wanted to receive, please contact us by using the aforementioned details.
   
   Personal data and information that we collect from you
   
   "Personal data" is defined in Article 4, paragraph 1 of GDPR (Regulation (EU) 2016/679): "(1)"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ".
   
   This Privacy policy and personal data protection is intended to inform you as a user about what categories of personal data we may collect or collect from you in relation to the use of the MyMonty App. We use and we may provide you with the stored data upon your request. We do not collect personal data from no one under the age of 18 years.
   
   From the first contact that we have with you until providing you with MyMonty App and Paynetics card, we collect personal information for you, including:
   
   - Your name, address, email, mobile phone number, date of birth, Google Advertising Id and data on your payment card and any other information you grant when applying for our services and use MyMonty App;
   
   - Details on the communications with you (via email, internet, our call centre or via third parties), when you contact us to signal about a problem or make a query.
   - Your answer to the inquiries which we ask you to perform for research purposes, if applicable.
   - Details on the transactions you make with your Paynetics card.
   - Information from agencies for fraud prevention and credit reference agencies or other organizations taking part in the support or the provision of MyMonty App and the related services.
   - Information about the way you use and manage your MyMonty App, the services we maintain and the payments you make.
   - Your photo; a copy of passport or identity card; utility bill; bank statement; photograph (selfie) with passport or identity card.
   Every time you use MyMonty App, this version of the Privacy policy and personal data protection will be applied. You express your informed and explicit consent to grant your personal data on a purpose to be collected and processed by us. You may find in this policy exhaustive information about the use of the personal data by us. Our application will exert control over the privacy which is related to the way we will process your personal data. Upon granting your personal data you may indicate your consent or rejection to the collection or processing of your personal data. For what purposes we will use your personal information.

We will use your personal information in order to:
- provide you with the MyMonty App services.
- perform checks to verify your identity and to verify your address in accordance with the legal requirements and to process your application.
- contact you regarding the services we provide, for instance, applying for card issuing, administering your cards, card blocking and transactions history of your Paynetics card.
- handle any inquiries or questions which you have regarding our services.
- prevent or uncover frauds, recording of suspicious or fraudulent behavior or suspicions for incorrect or imprecise information. - observe our legal obligations.
- collect our expenses in relation to the court decisions (including to negotiate agreements for payments with you and to collect the fees due by us and expenses in relation with the legal enforcement); - present you with our other products and services, if you have agreed to that.
- raise the awareness of the users of our services through carrying out of polls and market research.
Paynetics will notify you about news regarding the product, promotions, bargains, and other promotional messages via push notifications, and via email.
MyMonty App services use Firebase to collect information regarding the use of the mobile application by the users in order to improve the user experience.
Paynetics will contact you via email; the so-called "push notifications" and in-app messages. „Push notifications” are a technique used by applications for portable smartphones, tablets and devices allowing the owners of such devices to receive news, messages etc. via the appropriate application.
In case Paynetics intend to use your personal data for other purposes, you will be notified and asked for your explicit consent about that.
On what grounds we collect and process your personal data:
1. We may process your data for your account and your profile in MyMonty App ("profile data"). The data for your account is unique and includes your email, mobile phone number and password and your profile may include your name, email, date of birth, nationality and address, photo and telephone number. You provide us with that data in order to register your account and profile and to use our services. The data for the account and your profile may be processed in order to access your profile via the MyMonty App, and in order to grant you our services by guaranteeing high level of security of our platform, maintenance of protected reserve copies of our database and performing of communication with you. The data for the profile may be processed also for the purposes of granting full access to the services we provide, MyMonty App, your Paynetics card and monitoring of your activity. The legal ground for this processing is the contract signed between us and our legal obligation to apply mechanisms for identification and high level of authentication at the provision of financial services.
2. We may process your data granted in the process of using our services ("data for using the services"). The data for using the services may include registration files for accessing our platform as well as a history for the granted and used services. The source of data for using the services is our platform where you maintain a registered account and profile. The data for using the services may be processed for the purposes of functioning of the application, provisioning of our services, guaranteeing the security of the Application and services related to maintenance of protected backup copies of our database and contacting you. The legal ground for this processing is the contract signed between us and our legal obligation to apply mechanisms for identification and high level of authentication at the provision of financial services.
3. We may process your personal documents which you upload in our platform via Your registration ("data on the content"). The data on the content in the form of attached files may be processed for the purposes of identification and verification of your identity which enables you to use our website, mobile application and our services. The legal ground for this processing is your consent and our legal obligation to confirm your identity due to reasons related to counter money laundering and financing of terrorists, before granting you the payment services of MyMonty App and Paynetics card.
4. We may process information contained in any query which you send us about our services ("data on queries"). The information on queries may be processed for the purposes of the supply, the marketing and the sale of the relevant services to you. The legal ground for this processing is your consent to receive information and to improve our communication channels with you.
5. We may process the information related to the transactions made and the granted services which are performed through MyMonty App and Paynetics card ("transaction data"). The transaction data may include data on the card, the bank account and the transaction history details. The transaction data may be processed with the purpose of granting services and maintaining correct records about these transactions in our system. The legal ground for this processing is the execution of the contract concluded between us or undertaking of steps upon your demand for concluding of such a contract and our legal obligations.
6. We may process the information which you grant us as subscribers of our email messages and/or newsletters ("data on messaging"). The data on messaging may be processed for the purposes of sending of the relevant messages and/or newsletters. The legal ground for this processing is your consent OR the execution of a contract concluded between YOU and us and/or undertaking of steps upon your demand for concluding of such a contract for using of the services Paynetics card.
7. We may process the information containing in or relating to any communication you send us ("data on correspondence"). The data on the correspondence may include the content of the communication and the metadata related to the accomplished communication. Our website generates metadata related to the communication through the contact form or the query form. The data on correspondence may be processed for the purposes of the communication with you and the keeping of archives for required and granted information. The legal grounds for this processing are our legal interests, namely the correct administration of our website and our contract relationships as well as the communications with the users.
8. We may process all personal data indicated in this Policy when this is needed for instituting, prosecution or defense of/against legal actions/claims regardless of whether it is in legal proceedings or in administrative or extrajudicial procedures. The legal ground for this processing are our legal interests, namely the defense and the confirmation of our legal rights, your legal rights and the legal rights of third parties/.
9. In addition to the specific purposes, to which we may process your personal data indicated in this Policy, we may also process your personal data when such processing is needed for observing of a legal obligation which we have, or to protect your vital interests or the vital interests of another physical person.
10. Please do not grant personal data to any other person unless we explicitly require you to do so in relation to granting of additional service.
11. The service is managed from technical point of view by "Phyre" AD. By adopting this Policy, you explicitly agree that the technical processing of the data granted to Paynetics AD by you is performed partially by "Phyre “AD on behalf of the administrator. Customer support is provided by Monty Finance UK Ltd. who is a data processor for Paynetics in relation to the customer support.
11.1. We may disclose your personal data to any member of our group of related companies (including but not limited to our daughter companies, authorised representatives, entire company structure), insofar this is reasonably justified for the purposes and the legal grounds indicated in this Policy.
11.2. We may disclose specific personal data required for the purposes of the identification and verification of your identity done by our authorized suppliers or subcontractors when it is reasonably justified for the specific purposes. In any case you explicitly agree, with a view to the services provided by us, that we may grant your data to agencies for credit control or agencies for fraud prevention and other organizations: to verify the entire personal information provided by you in order to confirm your identity. The agencies may record your information and the searches made (even if any application is unsuccessful or not finished).
11.3. We may disclose your personal data also to companies of third parties with a view to the services provided by us. More specifically, but without limitation, our services use and rely on the services for processing and storage of Phyre: Firebase. We may disclose your personal data also to card networks and payment schemes, such as MasterCard, VISA: in order to provide you with MyMonty App, the Paynetics card and the related services.
11.4. We may disclose your personal data to our professional experts, insofar it is reasonably justified for the purposes of the risk management, the getting of professional advices or the instituting, prosecution or defense of/against legal actions/claims regardless whether it is in legal proceedings or in administrative or extrajudicial procedures.
11.5. In addition to the specific releases of personal data indicated in this Policy, we may disclose your personal data when such disclosure is needed for observing of a legal obligation which we have, or to protect your vital interests or the vital interests of another physical person.
12. You explicitly agree and give your consent that you may become a subject of an automated risk assessment, although Paynetics ensures you that the final decisions are always taken by an authorized employee of the company.
13. We may grant your data to certain third persons who may use your personal information in order to send you marketing messages, only in case you have explicitly given your consent for them to do this, and you have approved the purpose for processing of your data.
STORAGE AND DESTRUCTION OF PERSONAL DATA
14. This section shall define the regulations and the procedure for storage of data which are intended to guarantee the observance of our legal obligation for storage and destruction of personal data.
15. The personal data which we process for any purpose(s) whatsoever, should not be stored longer than necessary for this purpose or these purposes.
16. We shall store your personal data, as follows:
16.1 all personal data will be stored for a minimal period of 5 (five) years after the termination of our contact for servicing.
16.2 Your personal data will not be additionally processed in a way incompatible with the purpose(s) for which they have been preliminarily collected.
17. We shall apply appropriate security measures against unauthorised access or non-permitted change, disclosure, or destruction of the data, and against all other illegal forms of processing.
18. When the purpose for which the personal data have been received, is terminated and the personal data are not required any more, we will destroy them or will delete them in a secure way.
19. Regardless of the remaining provisions of this section, we may retain your personal data when such retention is necessary for observing a legal obligation, required from us or to protect your vital interests, or the vital interests of another physical person.

SECURITY
20. We shall respect the security of your personal data and shall use reasonable electronic, cadre and technical measures in order to protect them from loss, theft, change or abuse.
Nevertheless, bear in mind that even the best security measures cannot completely remove all risks.
21. We strive to protect the entire information of the application in the proper way. You however bear responsibility for the protection of the privacy of your personal data for identification, by keeping your passwords for access to the MyMonty App confidential and protected. You should change your password immediately if you suspect that someone has obtained unauthorised access to it or to your profile. If you lose control over your profile, you should immediately inform the responsible contact person in Paynetics, indicated at the beginning of this Policy.

CHANGES
22. Paynetics may update this policy periodically by publishing a new version. That is why you should accept this Policy each time when you register in the application.
23. Regardless from the above said, we retain our right to notify you at the email address provided by you about any changes in the present policy. That is why you should always keep your contact data updated.
YOUR RIGHTS
24. You may require from us to grant you the whole personal information which we store for you, the granting of such information depending on:
24.1 submitting of appropriate proofs for your identity (to that effect we will ask you to submit documents for identity verification via our platform).
24.2 You have the right to instruct us to provide you with your personal data processed by us. Whereas your requests are manifestly unfounded or excessive, in particular because of their recurrence, we may charge a reasonable fee for providing the information or take an action to process your request.
24.3 The deadline for giving a response from Paynetics actually is fixed at one (1) month after receipt of your request. This term may be prolonged by Paynetics with additional term of 10 days. In that case Paynetics will inform you about the extension at your email address or at your telephone number.
24.4 You may require access to your personal data by sending an email to dpo@paynetics.digital or by visiting our application when you have entered through your registered profile.
25. We may retain your personal information for which you have required access within the legally permitted frame.
26. You may require from us at any time to not process your personal data for marketing purposes.
27. In practice, you usually either agree beforehand your information to be used for marketing purposes, or we shall give you the opportunity to renounce the use of your personal information for marketing purposes.
28. Your fundamental rights in accordance with the Law on the protection of personal data and General Data Protection Regulation are:
28.1 right of access;
28.2 right of rectification;
28.3 right of erasure;
28.4 right to restriction of processing;
28.5 right to object against processing;
28.6 right to object against data portability;
28.7 right to file a complaint with a supervisory body; and
28.8 right to withdraw the consent.
29. You have the right to require correction of inaccurate personal data for you and with a view to the processing of your personal data, to supplement incomplete personal data for yourself.
30. In some cases you have the right to request erasure of your personal data without ungrounded delay. These hypotheses arise when: your personal data is not needed any more with regard to the purposes for which the data has been collected or processed; you withdraw your consent
for processing made on the basis of consent; you object against the processing in accordance with certain rights of the applicable legislation for protection of the personal data; the processing is for the purposes of the direct marketing; your personal data were illegally processed. Restriction of the right to erase personal data is present when the processing of these personal data is needed for exercising of the right of freedom of expression and information; for observing of obligation arisen by virtue of a normative act; or for instituting, prosecution or defense of/against legal claims.
31.1. You have the right to require restriction of the processing of your personal data in some of the following cases:
- the precision of the personal data is disputed by you, for a term which allows the administrator to verify the accuracy of your personal data;
- the processing is unlawful, but you don't want your personal data to be deleted but instead require its use to be restricted;
- the administrator does not need any more your personal data for the purposes of processing, but you require their processing for instituting, prosecution or defense of legal claims;
- you have objected against the processing waiting for examination whether the legal grounds on which we process your personal data have priority over your interests;
31.2. When the processing is restricted due to one of the hypotheses quoted above, such data will be processed, with exception of its storage, only with your consent or with the purpose of instituting, prosecution or defense of legal claims, protection of the rights of another physical person or due to important grounds of public interest for the European Union or a Member State.
31.3. When you have requested restriction of the processing pursuant to paragraph 1, we shall inform you before the revoking of the restriction of the processing.
32. You have the right at any time and on grounds related to your specific situation, to object to processing of your personal data when a processing is performed on one of the following grounds:
- the processing is needed to execute a task of public interest or at the exercising of official powers which have been granted to us;
- the processing is needed for the purposes of our legitimate interests or of a third party, except when priority over such interests has the interests or the fundamental rights and freedoms of the data subject which require protection of the personal data, more specifically when the data subject is a child.
33. In case you have explicitly given your consent for processing of your personal data for the purposes of direct marketing (including profiling for the purposes of the direct marketing), you have the right to object against such processing at any time. In case you make such an objection we will discontinue the processing of your personal data to that effect. We will discontinue the processing of your personal data, except when we find out that there are convincing legal grounds for the processing which have priority over the interests, rights and freedoms of the data subject or for instituting, prosecution or defense of legal claims.
34. We will process your personal data for historical scientific purposes or for statistical purposes only if such processing is needed to execute a task performed by considerations for public interest.
35. Insofar the legal ground for the processing of your personal data is:
35.1 a consent; or
35.2 the processing is necessary for the execution of a contract you are a party to or have undertaken steps to conclude a contract upon your request, and this processing is performed in automated ways,
You have the right to request personal data from us in a structured, accessible and machinereadable format. A restriction of this right shall be present when the transfer of the data will affect unfavorably the rights and freedoms of third persons. The same will be valid when your personal data are transferred to another administrator (Right of transfer of data).
36. In case you consider that the processing of your personal information is in violation of the laws on data protection, you have the right to file a complaint with a supervisory body responsible for
the data protection. You may do this in the Member State of EU where you usually reside, are employed or at the place of the presumed violation.
37. Insofar the legal ground for the processing of your personal information is consent, you will have the right to withdraw this consent at any time. The withdrawal will not affect the conformity with the law of the processing before the withdrawal as well as it will not affect or restrict the processing of any other legal ground or contract.
38. You may exercise your rights with a view to your personal data by written notification to us and to send it to our official contact email address published on our website.
39. We will keep some of your data in order to enable subsequent personal identification, in order to avoid abuse, for rectifying problems, in order to assist to any investigations, in order to apply our General provisions and/or to observe legal requirements for storage of personal data. Therefore, you should not expect that all your personal identifying information will be completely removed from our database in response to your request. We also keep history of the changes made to the granted data, in order to investigate presumed frauds with your profile.
MONITORING FOR QUALITY ASSURANCE AND TRAINING
40. We strive to guarantee that the services we provide to our clients are of possibly the highest standard. With a view to that purpose, sometimes it may become necessary to record the telephonic and electronic messages between our employees and third persons in order to assure the quality and training or if it is permitted by the law only after you have been notified of that. We will always perform monitoring of the communications with accordance to the applicable legislation and at any time will continue to protect the privacy of your messages in accordance with these rules.
International transfers of personal data (including to providers of services assigned to external subcontractors)
41. It may become necessary to transfer your personal information to business partners and services providers residing in territories outside the European Economic Area ("EEA"). For instance, we may maintain the MyMonty App and the Paynetics card and the services related to it from centres such as USA and we may process payments via other organisations like card networks and payment schemes located outside EEA. Upon downloading and usage of MyMonty App, of Paynetics card you explicitly agree to that. You should bear in mind that we will never transfer your personal data to a state or to an organisation which does not offer sufficient level of protection, without your explicit informed consent. The protection provided by General Data Protection Regulation (GDPR) follows the data provided by you which means that the rules for personal data protection continue to be applied regardless of the place where the data is located. This is valid also when the data is transferred to a state which is not member of EU (hereinafter referred to “third country”). Here are the cases which the General regulation envisages for authorized transfer of personal data:
• Sometimes by decision of the European Commission may be declared that a third country offers adequate level of protection (“decision for adequate level of protection“) which means that we may transfer data to other company in that third country without submitting additional guaranties or the data becoming subject of additional conditions. In other words, the transfers to a third country with adequate level of protection will be comparable to the transfer of data within EU;
• In case of absence of a decision for adequate level of protection the transfer may be made via providing appropriate guaranties and under condition that applicable rights are present
and effective legal means of protection of the physical person. These appropriate safeguards include, among others:
• In the case of a group of enterprises or groups of companies performing joint economic activity, the companies may transfer personal data on the basis of the so-called bonding corporate rules;
• Contract agreement with the recipient of the personal data, by using for instance the standard contract clauses approved by the European Commission;
• Observing of a Code of conduct or mechanism for certification, together with obtaining of bonding and executable commitments from the recipient for enforcing of appropriate safeguards for protection of the transferred data; and finally, if it is envisaged to transfer personal data to a third country which is not a subject to a decision for adequate level of protection, and if appropriate safeguards are missing, there may be made a transfer on the basis of a number of exceptions for specific situations, for instance when a person has agreed explicitly with the suggested transfer, after being provided with all necessary information regarding the risks related to the transfer.
How we take care of your personal information
We have at our disposal technical and organisational assurance according to us appropriate for the protection of your personal information against unauthorized or unlawful use, damage or destruction. We have introduced strict rules for privacy (including obligations for data protection) with our services providers from third countries.

1. Privacy Policy of Paynetics UK (UK Residents)
   
   Our contact details
   Name: Paynetics UK Ltd (hereinafter referred to as “Paynetics UK”, “we”, “us” and “our”) is regulated as an e-money institution (ref: 942777) licenced under the Financial Conduct Authority (“FCA”) and organized under the laws of England and Wales, with company number 12481335,
   Address: registered address 1st Floor, 18 Devonshire Row, London EC2M 4RH
   Phone Number: +44(0)330 223 6848
   Date of adoption: 1 November 2023
   The type of personal information we collect
   We currently collect and process the following information:
   
   • IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use, logs of your use of our platform, and history of the associated services with our platform;
   • Email address
   • Nationality, gender and date of birth
   • Profile pictures
   • Financial information;
   • Image of passport and passport details;
   • Enquiry data;
   • Information contained in or relating to any communications with us.
   
   How we get the personal information and why we have it
   Most of the personal information we process is provided to us directly by you for one of the following reasons:
   • We may process your data about your use of our website and services;
   • We may process your data for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you;
   • We may process your data for the purposes of enabling and monitoring your use of our website and services;
   • We may process your data in order to provide to you our card issuance and payment services (according to our Terms and Conditions: https://www.paynetics.digital/terms-and-conditions/);
   • We may process your data to send you information and marketing material about our services;
   We collect information about you when we receive it from other users, thirdparties, and affiliates, such as:
   • When you connect your account to third-party services or sign in using a third-party partner (Google ads);
   • From publicly-available sources;
   • From advertisers about your experiences or interactions with their offerings;
   • When we obtain information from third-parties or other companies, such as those that use our services. This may include your activity on other sites and apps as well as information those third-parties provide to you or us.
   
   We may share this information with:
   • We may disclose your personal data to any member of our group of companies (this means our affiliates and subsidiaries) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.
   We disclose your data to Paynetics AD, based in Sofia, Bulgaria. Paynetics AD is a licensed e-money institution, operating under the laws of the Republic of Bulgaria. Paynetics AD has developed, owns, operates and maintains a proprietary electronic online system (the “Paynetics System”) for the issuance and storage of electronic money, maintaining payment accounts, the association of the card accounts with International Service Provider Account Numbers (IBANs) and sort codes to support the efficient receipt and transmission of funds through its system, and the execution of payment transactions and related thereto collection and exchange of data. For more information about Paynetics’ AD Services and the way they protect your data, please view their privacy and security policy here: https://www.paynetics.digital/privacyand-security-policy/.
   • We may disclose specific personal data, requested for identification and verification purposes to our authorized suppliers or subcontractors as reasonably necessary for specify purposes.
   • We may disclose your personal data to our professional advisers insofar as reasonably necessary for the purposes for managing risks, obtaining professional advice, or the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-ofcourt procedure.
   • We will share your data if we are required to do so by law - for example, by court order, or to prevent fraud or other crime.
   • We may disclose your data to one or more of our co-partners, identified on our website for the purpose of enabling them to contact you so that they can offer, market and sell to you relevant services having the same purpose as the services Paynetics UK offers. Each such co-partner will act as a data controller in relation to the usage and enquiry data that we supply to it; and upon contacting you, each such co-partner will ask you to give your consent to its privacy policy.
   • In addition to the specific disclosures of personal data set out in this policy, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or outof-court procedure.
   We require all third parties to respect the security of your personal data and treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes – we only permit them to process your personal data for specified purposes and in accordance with our instructions.
   International transfers
   We do not transfer your personal data outside the European Economic Area (EEA).
   Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
   (a) Your consent. You are able to remove your consent at any time.
   (b) We have a contractual obligation.
   (c) We have a legal obligation.
   (d) We have a legitimate interest.
   How we store your personal information
   We take the security of your personal data seriously and use reasonable electronic, personnel and physical measures to protect it from loss, theft, alteration or misuse. However, please be advised that even the best security measures cannot fully eliminate all risks.
   We are dedicated to protecting all information on the website as is necessary. However, you are responsible for maintaining the confidentiality of your personal authentication information by keeping your password to our website private. You should change your password immediately if you believe someone has gained unauthorized access to it or your account. If you lose control of your account, you should notify us immediately at: dpo@paynetics.digital
   We have data retention policies and procedures in place, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
   Personal data that we process for any purpose(s) shall not be kept for longer than is necessary for that purpose or those purposes.
   We will retain your personal data as follows:
   All personal data will be retained for a period of 6 years plus the current year following termination of our mutual Service contract.
   As an exception of the Service contract, transaction data will be kept up to a maximum of thirteen months to allow for resolution of potential disputes and payment queries.
   All personal data will not be further processed in a manner incompatible with the purpose or purposes for which the information was originally collected.
   Paynetics UK will take appropriate security measures against unauthorized access to, or unauthorized alteration, disclosure or destruction of, the data, and against all other unlawful forms of processing.
   Once the purpose for which the personal data was obtained has ceased and the personal data is no longer required, Paynetics UK will delete or dispose of it in a secure manner.
   Notwithstanding the other provisions of this Section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subjects.
   Your data protection rights
   Under data protection law, you have rights including:
   Your right of access - You have the right to ask us for copies of your personal information.
   Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
   Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
   Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
   Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
   Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
   You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
   Please contact us at dpo@paynetics.digital if you wish to make a request.
   
   How to complain
   If you have any concerns about our use of your personal information, you can make a complaint to us at dpo@paynetics.digital or +44(0)330 223 6848
   You can also complain to the ICO if you are unhappy with how we have used your data.
   The ICO’s address:
   Information Commissioner’s Office
   Wycliffe House
   Water Lane
   Wilmslow
   Cheshire
   SK9 5AF
   
   Helpline number: 0303 123 1113
   ICO website: https://www.ico.org.uk