1. The Data Controller and the legislative framework
Paytah is committed to respecting your privacy and protecting your data in accordance with the General Data Protection Regulation.
Throughout this notice:
- “you” shall refer to yourself as a client of Paytah or authorised person to represent yourself as a client of Paytah;
- “we” shall refer to Paytah, the trading name of Phoenix Payments Ltd, a Payment Institution with Company No. C77764 and registered address at 5th Floor, Valletta Buildings, South Street, Valletta, VLT1103, Malta, and acting as Data Controller; and
- “data” shall refer to personal data, i.e. any information that may be related to an identified or identifiable data subject.
Please read this Privacy Notice carefully and kindly do not use our services if you disagree with it.
Any changes we make to this Privacy Notice will be posted on our website.
2. The legal basis for the processing of personal data
The legal basis for processing your data are:
- consent for one or more specific purposes
- the performance of a contract to which you are party
- a legal obligation or requirement
- legitimate interests pursued by Paytah
3. What data do we collect?
We may collect and process the following data:
- your identity and contact information, e.g. your official name, date and place of birth, nationality, residential address, tax residency, email, telephone number, documents to prove your identity or your address
- your financial data, e.g. bank account, payment details and history, products and services used
- correspondence that you send us
- marketing and communications data
- other information, e.g. information collected through cookies, IP address, log-in times, operating system and browser type and details of your visits to our website
Please always provide us with updated, correct and accurate information and notify us immediately in case of changes to the information that you provided us. Please also make sure that you obtain the consent of another person whenever you provide us with information related to such person.
If you opt not to provide us with any of your data, this may delay or prevent us from adhering to our obligations or from performing our services to you. In this event, our product or service provided to you may be cancelled
4. How do we collect your data?
We collect your data from different sources. Some information may be provided by yourself (or by a person authorised by you) such as when we request a copy of your passport. Some information may also be collected from publicly available sources (e.g. social media or trade registers) or from third parties, in particular to comply with our legal obligations to prevent fraud, money laundering or terrorist financing.
5. How do we use your data?
We will use your data:
- if we have obtained your consent to the processing of your data
- the processing of your data is necessary to enter into an agreement and to perform the contractual obligations
- if the processing of your data is necessary to comply with a legal obligation
- if the processing of your data is necessary to protect your vital interests
- if the processing of your data is necessary and in accordance with our legitimate interests
- if the processing of your data is necessary for us to establish, exercise and protect our legal rights
- for market research. You may be contacted to participate in market research. In this case, your participation and any information provided by you will be held anonymously, unless you instruct us otherwise.
- to inform you about our products and services. You may opt to stop receiving this marketing communication whenever you want by contacting us
6. Automated processing of your data
We may use automated systems to make decisions about you based on an assessment of data that we hold about you. In this event, you have the right to contact us to challenge the automated processing of your data.
7. For how long do we keep your data?
We shall keep your data for a period of time in accordance with laws and regulations applicable to us. For example, we shall retain your information for at least 5 years to comply with the anti-money laundering and funding of terrorism regulations.
8. Who are the recipients of your data?
We may share your data with the following recipients:
- our employees, associated companies, auditors, consultants and associates
- persons that you receive payments from and make payments to
- market researchers
- correspondent and agent banks, merchant banks and payment service providers
- law enforcement agencies
- courts of law, tribunals and other dispute resolution bodies
- governmental or competent authorities
We shall ensure that there are appropriate safeguards in place to protect your data whenever we transfer your data to a recipient that is located outside the European Economic Area.
9. How do we protect your data?
We have adopted appropriate technical and organisational measures to collect and process your data. Such measures include, among the others, the restriction of access to your data by unauthorised personnel and strong technological security systems, e.g. anti-virus programs and firewalls.
We also ensure that appropriate measures are adopted by any third party to whom we will transfer your data.
However, please keep in mind that the transfer of data over the internet, despite all the necessary safeguards being applied, involves some degree of risk and is never fully secure. By way of example, we will never send you an email asking you for your credit card number, username and password. In this event, you shall forward this email to us.
10. What are your rights?
Under the General Data Protection Regulation, you may exercise following rights:
- right to be informed on what information is being collected, how it is being used, how long it will be retained by us and if it will be shared with third parties
- right to access. You may submit an access request and we will provide you with a copy of any of your personal data. The exercise of this right is free of charge; however, we may charge a reasonable fee for the administrative costs where the request is manifestly unfounded or excessive or where you request further copies of your data
- right to rectification. You may ask us to update any inaccurate or incomplete information that we hold about you
- right to erasure (or to be forgotten). You can ask us to erase your data in certain circumstances, e.g. when data is no longer necessary or was unlawfully processed or when you withdraw your consent. However, we cannot erase your data where the processing is necessary for: exercising the right of freedom of expression and information; compliance with a legal obligation; achieving purposes in the public interest or statistical purposes in respect of the principle of data minimisation; the establishment, exercise or defence of legal claims
- right to restrict processing. You can ask us to limit the way we use your information
- right to data portability. You have the right to receive your data in a structured, commonly used and machine-readable format and to have your data transmitted directly from us to another controller, where technically feasible.
- right to object. We will notify you if we are going to use your data in a manner that is different from the use set out in our Privacy Notice. You have the right to object to any new use or change in use of your data.
11. Contact us
Questions, comments and requests regarding this Privacy Notice are welcome and should be addressed to our Data Protection Officer via email email@example.com?