1. DEFINITIONS

The terms used in this Privacy Policy shall have the meaning as follows:

1.1. Agreement – all and any agreements (if any) entered between you and Payoma. The fact that the agreement is in fact a single document “agreement” or it is a collection of documents such as “terms and conditions” and your consent to use the Services, makes no difference and all of such is considered an Agreement.

1.2. Compliance Requirements – various requirements we have to comply with, including counter-terrorism financing, anti-money laundering and politically-exposed persons-related requirements.

1.3. Controller – Payoma as the one, who determines the purposes and means of the Processing of your Personal Data.

1.4. Data Subject, you – you as natural person as our existing or prospective client and/or user of the Services, and/or visitor of the Website, or other natural person, who’s Personal Data we process.

1.5. ICO – Information Commissioner’s Office as data protection supervisory authority for the United Kingdom.

1.6. Payoma, us – we, Payoma Limited, English company, having company No 09016606 and legal address at Level 18, 40 Bank Street, London E14 5NR, UK.

1.7. Personal Data – any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the Regulation).

1.8. Policy – this Privacy Policy.

1.9. Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Article 4(2) of the Regulation).

1.10. Processor – natural or legal person, public authority, agency or other body which processes Personal Data on behalf of Payoma.

1.11. Regulation – General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

1.12. Services – any of the services provided by Payoma.

1.13. Website – Payoma website payoma.com.

2. GENERAL PROVISIONS

Scope of this Policy

2.1. This Policy lays down how we process the Personal Data.

Accepting of the Policy and consent to Processing of your Personal Data

2.2. You can accept the Policy only in its entirety. This means that you cannot accept some provisions of the Policy and do not accept others. If you do not accept any of the provisions of this Policy this means you do not accept the Policy.

2.3. By using the Services and/or continuing visiting the Website you are accepting this Policy and giving your consent to Processing of your Personal Data as laid down in this Policy.

2.4. If you do not accept the Policy, you must immediately stop using the Services and leave the Website.

Your consent for us to Process your Personal Data

2.5. By using the Services and/or continuing visiting the Website you are also giving us your consent to Process your Personal Data as laid down in this Policy.

2.6. If you do not wish to give us your consent to Process your Personal Data, you must immediately stop using the Services and leave the Website.

Legal meaning of this Policy

2.7. This Policy does not replace any part of the Agreement unless the Agreement clearly says so.

2.8. This Policy itself is not an agreement between you and Payoma but is an explanation of how we comply with the Regulation.

2.9. We can at any time and without giving you a notice to amend the Policy in the way we think is appropriate and permitted by Regulation.

2.10. You can find the actual version of the Policy in the respective section of the Website.

3. PROCESSING OF YOUR PERSONAL DATA

3.1. Payoma is the Controller. You may contact us using all means indicated on the Website.

3.2. The legal basis for the processing of your Personal Data is the Agreement and/or your consent (where applicable).

3.3. Your Personal Data are processed as provided in the Regulation.

4. PRINCIPLES OF PROCESSING (ARTICLE 5(1) OF THE REGULATION)

Lawfulness, Fairness and Transparency

4.1. Personal data shall be Processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose Limitation

4.2. Personal data shall be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes; further Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

Data Minimisation

4.3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

4.4. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Storage Limitation

4.5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject.

Integrity and Confidentiality

4.6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

5. WHAT PERSONAL DATA WE PROCESS

5.1. Nature and exact amount of your Personal Data we process depends on what Services are you using (if any) and the nature of relationship between you and us (are you our existing client, are you becoming one or are you just visiting the Website).

Categories of Personal Data

5.2. For provision of the Services, inter alia for you to become our client, we may Process the different categories of Personal Data. Below we have listed some examples of possible categories of Personal Data we Process.
Please note that this list is not exhaustive (this means there can be other categories of Personal Data not on the list). Also, please note that not all categories of Personal Data will likely apply to you. We will Process the Personal Data only when and if we need it.
Possible categories of the Personal Data we may process are:

5.2.1. Identification data. This may include your names, ID code, birth date, residence address, nationality, photo etc.

5.2.2. Online identification data. This may include your identification data you are using to access the Website, your social network name, messenger software ID etc.

5.2.3. Contact information. This may include your postal address, phone number, electronic mail address, other means of communication etc.

5.2.4. Financial data. This may include your payment card and your bank details, information on your transactions etc.

Cookies

5.3. For better experience of using the Website we also use cookies – small units of data that are comprised of details that may be downloaded by your device as you access our Website. To learn more in detail on how we use cookies please see our Cookie Policy.

6. PURPOSES FOR PROCESSING OF PERSONAL DATA

6.1. We may process your Personal Data for the following purposes:

6.1.1. To provide you with our Services and duly perform the Agreement,

6.1.2. To further improve our Services,

6.1.3. To meet our Compliance Requirements (for example, to justify your transaction is not illegal),

6.1.4. To comply with other statutory duties (for example, for accounting and tax calculation),

6.1.5. To comply with our contractual and similar obligations, inter alia our obligations to payment systems, partner banks and insurance companies (as payment processing includes many stages and several actors are involved, making your payment happen normally means we have to receive and transfer your Personal Data),

6.1.6. For statistics and analytics,

6.1.7. To ensure normal business operations (for example, putting your name in correspondence exchange between us etc.).

7. COLLECTION OF PERSONAL DATA

7.1. We collect your Personal Data mostly from the following sources:

7.1.1. From the information you provide us,

7.1.2. From merchants whose goods or services you purchase using your payment card,

7.1.3. From merchants, who wish to pay cash to your payment card,

7.1.4. From payment systems, banks and other financial institutions involved in processing of payments,

7.1.5. From public registries,

7.1.6. From various other registries and databases.

8. TRANSFER AND POTENTIAL RECIPIENTS OF THE PERSONAL DATA

8.1. Potential recipients of your Personal Data are:

8.1.1. Supervising and other competent authorities, e.g. UK Financial Conduct Authority, crime investigation authorities, courts etc.,

8.1.2. Payment systems, banks and other financial institutions involved in processing of payments,

8.1.3. Our partner banks,

8.1.4. Our affiliates,

8.1.5. Our outsourced services providers, e.g. our accountants and legal advisers,

8.1.6. Our IT service providers,

8.1.7. Payoma officers and employees.

8.2. We may transfer Personal Data to a third country provided the respective requirements laid down by the Regulation are complied with and such transfer will not decrease level of protection of the Personal Data transferred.

8.3. We may appoint a Processor for Processing of Personal Data. If we will do so we will approach selection of such Processor with due care and properly appoint the Processor using agreement or other means that are both legally valid and permitted by the Regulation.

9. YOUR RIGHTS IN RESPECT OF THE PERSONAL DATA WE PROCESS

Right of access (Article 15 of the Regulation)

9.1. You can ask us to tell you if we Process your Personal Data and if we do, what your Personal Data we Process.

9.2. We will provide you with the following information:

9.2.1. the purposes of the processing,

9.2.2. the categories of Personal Data concerned,

9.2.3. the categories of recipient to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations,

9.2.4. the criteria to determine period for which the Personal Data will be stored,

9.2.5. confirmation that you have the right to request us rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,

9.2.6. confirmation that you have the right to lodge a complaint with ICO,

9.2.7. where the Personal Data are not collected from you, any available information as to source of the Personal Data,

9.2.8. that we have automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject,

9.2.9. if we have transferred your Personal Data to a third country or to an international organisation, information on appropriate safeguards relating to the transfer as provided in the Regulation.

9.3. We will also provide you a copy of your Personal Data undergoing Processing and we do so in a commonly used electronic form.

Right to rectification (Article 16 of the Regulation)

9.4. You can ask us to correct your wrong or out-of-date Personal Data. We will correct that Personal Data without undue delay.

Right to be forgotten (Article 17 of the Regulation)

9.5. You can ask us to erase your Personal Data.

Right to withdraw consent to Process

9.6. Where Processing of your Personal Data is based on your consent, you can withdraw consent at any time, without affecting the previous Processing.

Right to restriction of processing (Article 18 of the Regulation)

9.7. In certain cases (which are set out in Article 18 of the Regulation) you can ask us to restrict Processing of your Personal Data. Such cases may be, for example, if you reasonably consider and notify us that your Personal Data we process is not accurate, but we do not correct it before carrying out a proper check.

9.8. Where you have restricted Processing of your Personal Data we will not use it otherwise than for storage or to legally protect ourselves.

Right to data portability (Article 20 of the Regulation)

9.9. You can ask us to provide you your Personal Data you have given us, and we will do so in a structured, commonly used and machine-readable format. Afterwards you can transmit that Personal Data to anyone you like.

Right to lodge a complaint

9.10. You have the right to lodge a complaint with ICO if you think your Personal Data are Processed wrongly.

10. AUTOMATED DECISION-MAKING

10.1. We may apply automated decision-making, including profiling, in respect of processing of financial service-related Personal Data.

10.2. Automated decision-making, such as different filters, may be used mainly to protect rights and legitimate interests of other parties, e.g. to automatically highlight transactions that have markers telling us there may be high fraud and/or terrorism financing and/or money laundering risk etc.

10.3. As with any automated means such solutions never can be completely error-proof. This means that these solutions, for example, theoretically can block a normal and legal transaction.

10.4. If you think that the automatically-made decision taken in respect of you is incorrect please tell us it is so and what exactly is wrong with it. We will without undue delay assign Payoma employee to review that automatically-made decision.

11. TERM OF STORING THE PERSONAL DATA

11.1. Your Personal Data will be stored depending on category of the Personal Data. The term of storage will be as laid down in the law, e.g. no shorter than applicable limitation term and mandatory storage term (if any), but no longer than it is reasonably necessary. The law may provide different terms for storage of different kinds of Personal Data.

12. PROTECTION OF YOUR PERSONAL DATA

12.1. We apply appropriate technical and organisational measures to ensure security of your Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage.

13. BACK-UP FILES

13.1. As a part of information security, including Personal Data security, measures we create restoration copies of our files. That, how often and how exactly we do it is determined by us at our own discretion. Such back-up technics may include more than one back-up level, different periodicity and other aspects.

13.2. Using back-up increases safety of your Personal Data we Process. At the same time this means that should you ask us to change your Personal Data or delete it the back-up files for some time will contain the previous version of your Personal Data or your Personal Data at all, accordingly. This back-up copies will be replaced by new back-up copies with an up-to-date information during normal process of backing-up our files.