1.1. Data Controller – UAB “ConnectPay”, company code 304696889 (hereinafter – the Company), registered address at Algirdo str. 38, 03218, Vilnius, Lithuania. The Company is an electronic money institution authorized and regulated by the Lithuanian supervisory authority – Bank of Lithuania. The Company’s activities include the issuing of electronic money, distribution and redemption of electronic money, issuing of payment instruments and/or acquiring of payment, execution of payments transactions, payment initiation, account information services. The license of the Company and all activities covered by it can be-checked here.
Principles of processing personal data
2.1. The Company commits to comply with the provisions of General Data Protection Regulation, the Law on Legal Protection of Personal Data of the Republic of Lithuania and other applicable Personal data protection regulations and legal acts in the Republic of Lithuania and the European Union.
- Personal data is collected for specified and legitimate purposes and will not be further processed in a way that is incompatible with those purposes established prior to the collection of Personal data.
- Personal data is processed in a lawful, honest, and transparent way.
- Personal data is accurate and, if necessary, for the processing of personal data, constantly updated.
- Personal data is collected only to the extent which is necessary to fulfil the specified legitimate purpose.
- Personal data is stored for the period specified by the Company, but not longer than the terms set forth by the applicable legal acts. When the storage term has expired, the Personal data will be destroyed.
- Implementation of adequate organizational measures designed to secure Personal data against accidental or illegal destruction, modification, disclosure, and any other illegal management.
- Implementation of measures designated for the prevention of the use of Personal data by persons seeking to acquire funds by fraudulent means.
- Profiling by automated means may be used when processing Personal data for some services and products for the purposes of risk management in accordance with the Company’s legal obligations.
Legal basis for Personal data processing and purposes
3.1. Personal data is only processed by the Company when the Customer or Partner has given consent and / or when the processing of data is necessary in order to fulfil the agreement to which the Customer or Partner is a party, or to take action at the request of the Customer or Partner prior to the conclusion of the agreement and / or to process the data necessary for the fulfilment of the legal obligation imposed on the Company.
3.2. The purposes of the processing of the Personal data are, as follows:
(a) The provision of any of the following Services:
- issuance, distribution and redemption of electronic money;
- execution of payment transactions;
- payment initiation and account information service;
- corporate card service;
- card acquiring service.
(b) The conclusion and execution of agreements (with Customers or Partners).
(c) Customer services, including responses to questions, feedback, complaints, and the provision of the information regarding the Company’s products or services.
(d) Implementation of obligations under the Law on Money Laundering and Terrorist Financing Prevention and other applicable regulations (Customer’s identification, ongoing monitoring of the Customer’s activity, risk assessment, risk management activities);
(e) Implementation of obligations under regulations governing financial sector (e.g. due diligence of the 3rd party service providers as per EBA guidelines on outsourcing).
(f) Additionally, the Company may collect and process the Personal data of the Customer as part of its direct marketing operations.
3.3. Personal data collected for direct marketing purposes may be processed only in those instances where the Customer has given clear consent for such actions. Consent can only be collected in a manner in which it is clearly indicated that the Customer agrees with the processing of their Personal data for the purposes of direct marketing. Direct marketing is all activities by which the Company offers its goods or services to the Customer by post, telephone or other direct electronic means. In the event that the Customer refuses consent to the processing of their Personal data for direct marketing purposes, their Personal data will not be processed for direct marketing purposes.
3.4. The Customer is granted the right to withdraw their consent given for the processing of the Personal data for the purposes of the direct marketing. The Customer may withdraw their given consent freely at any point of time by using the electronic channel which is dedicated to the management of the Customer’s account and for the communication with the Company.
Types and Sources of Processed Personal data
4.1. In accordance with the purposes specified above in points a, b, c and d, the following Personal data is processed by the Company:
a) Customers (natural persons) – first name, surname, personal code, date of birth, place of birth, nationality, age (year of birth), address, place of residence, identification card (passport) number, issuance place, date and expiry date, mobile phone number, email address, employment data, photo, signature, financial institution account number, IBAN number, debit card number, video and audio record for identification, telephone conversations, customer IP addresses, date of transaction, transaction amount, currency, location, data concerning the beneficiary of the funds, history of the actions performed, the source of funds, audio recordings if Customer calls to customer support, etc.;
b) Representatives of the Customers (natural persons or legal entities), members of the client’s management bodies and other representatives (for example, employees) who are authorized according to corporate documents to represent the client in relations with the data controller or acting in accordance with power of attorney, or by official appointment for the purposes of representing the client): first name, surname, personal code, date of birth, place of birth, nationality, age (year of birth), address, place of residence, identification card (passport) number, place of issuance, date and expiry date, mobile phone number, email address, employment data, photo, signature, bank account information (bank name and bank account number), date of transaction, transaction amount, currency, data concerning the beneficiary of the funds (natural person’s name, surname, date of birth, personal identification number or other unique character assigned to this person to identify the person, legal entity name, legal form, registered office address, code, if any), audio recordings if data subject calls to customer support, etc.;
c) Ultimate beneficiary owners of the clients (legal entities), natural persons who directly or indirectly own a legal entity with a sufficient number of shares or voting rights or otherwise exercise control: first name, surname, personal code, date of birth, place of birth, nationality, age (year of birth), address, place of residence, identification card (passport) number, place of issuance, date and expiry date, mobile phone number, email address, employment data, photo, signature, number of shares held, voting rights or share capital, date of transaction, transaction amount, currency, data concerning the beneficiary of funds (natural person’s name, surname, date of birth, personal identification number, or other unique character assigned to this person to identify the person, legal entity name, legal form, registered office address, code, if any), audio recordings if data subject calls to customer support, etc.
d) Customers of the Merchants (natural persons using payment initiation or account information services): first name, surname, mobile phone number, email address, unique Merchant Consumer ID, IBAN number, IP address, audio recordings if data subject calls to customer support.
e) Customers of the Merchants (natural persons using card acquiring payment option): first name, surname, mobile phone number, email address, unique Merchant Consumer ID, IP address, audio recordings if data subject calls to customer support.
f) Representatives of the Company’s 3rd party providers, partners: first name, surname, mobile phone number, email address, audio recordings if data subject calls to customer support.
g) Corporate Card holders (natural persons, using CP corporate cards): first name, surname, personal code, date of birth, place of birth, nationality, age (year of birth), address, place of residence, identification card (passport) number, place of issuance, date and expiry date, mobile phone number, email address, relationship with the Customer, account number for which card should be linked, photo, signature, date of card transaction, transaction amount, currency, data concerning the beneficiary of the funds (natural person’s name, surname, date of birth, personal identification number or other unique character assigned to this person to identify the person, legal entity name, legal form, registered office address, code, if any), audio recordings if data subject calls to customer support, etc.
4.2. The Company has the right to process Personal data other than that specified, provided that legitimate and predefined objectives for the processing of Personal data are established. In this case, Personal data is collected and processed in accordance with the applicable legal requirements and procedures established by the competent authorities.
4.3. The Personal data collected and processed for the purposes of the direct marketing is as follows: name, surname, the email address, mobile phone number.
4.5. The Personal data of the Customer/Partner is obtained from the following sources:
- the Customer – Personal data of the Customer (natural person) or Customer’s (legal entity’s) representatives is obtained at the beginning of the business relationship and may be further collected throughout the implementation of the contract;
- the Partner – Personal data of the partner’s representatives is obtained at the beginning of the business relationship and may be further collected throughout the implementation of the service agreement;
- the commercial banks, or other credit and financial institutions – Personal data from commercial banks, other credit and financial institutions is obtained through execution of payment transactions;
- the Merchants – for payment initiation and account information services, Personal data is obtained from the Merchants, through the provision of payment initiation and/or account information service;
- other third-party providers such as state and non-state registers, databases for identity verification checks, international sanctions, law enforcement agencies, other databases and open-source engines. Personal data is obtained through the execution of such legal obligations as identification, due diligence processes, and required screenings.
Customer Personal data recipients
a) payment service users (payees and payers);
b) financial institutions;
c) agent of a payment institution;
d) the Bank of the Republic of Lithuania and the SEPA/International Interbank Financial Telecommunication System – SWIFT participant (personal data for these beneficiaries is subject to the use of the Single Euro Payments Area – SEPA/ SWIFT);
e) credit/debit card processing service provider;
f) identity verification service providers;
g) vendors of software development and support services;
h) transaction monitoring service providers;
i) risk management tools providers;
j) website domain hosting providers;
k) cloud service providers;
l) other suppliers;
m) law enforcement units, regulatory bodies or courts, in situations where the Company is required by law to do so.
5.2. Customer Personal data may be transmitted to third parties not specified above for specified and legitimate purposes only, and only to third parties who have the right established by laws and other legal acts to receive personal data in the countries of the European Union and the European Economic Area.
Data Retention Period
6.1. By law (Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania and in view of the statute of limitations) the Company has the right to store Personal data records for a maximum of 10 years after the termination of their business relationship with the Customer. Such records include Personal data such as Customer’s name, contact details, account details, transactional history, etc. Consent for direct marketing is valid until such time as the Customer has withdrawn it, but no longer than 5 years. For more detailed information on the specific retention periods applicable for other categories of personal data, please contact us directly via firstname.lastname@example.org.
Security of personal data
7.1. The Company implements necessary organizational and technical measures to protect the Customers’ personal data in transit and at rest from accidental or unlawful destruction, modification, disclosure, as well as any other unlawful handling.
8.1. Cookies are small text files, often including unique identifiers, which are sent by web servers to web browsers, and which may then be sent back to the server each time the browser requests a page from the server.
8.2. The Company has its own website, and cookies may be obtained in order to provide the Data subject with the full range of Services provided by the Company during website visits, and in order to improve the quality of the Services provided to the Data subject’s computer (device). The Company may use the following types of cookies:
- Strictly necessary cookies – these cookies are essential for the browsing of the website and use its features, such as accessing secure areas of the site. These cookies are mandatory and cannot be switched off.
- Functionality cookies —these cookies allow a website to remember choices the Customer has made in the past, like what language they prefer, or what their username and password are so as to facilitate automatic log in.
- Google Analytical cookies —these cookies record information such as how many pages a Customer has visited on this website, the traffic source that brought them to the website, and how much time they have spent on the page. This collected information is used to measure, monitor and improve website performance. No sensitive personal information is collected through Google Analytics. None of this information can be used to identify or contact the Customer. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. To find out about Google Analytics, click here. However, for Customers who still wish to opt out of Google Analytics cookies, more information can be found here.
- Facebook Marketing cookies – the Company may from time to time use Facebook Advertising, Facebook Pixel for re-marketing and tracking purposes. This tool allows the Company to understand and deliver ads and make them more relevant to the Customer. The collected data remains anonymous and the Company cannot see the personal data of any individual user.
8.3. List of cookies used by us currently:
|Strictly Necessary Cookies|
|cookielawinfo-checkbox-necessary||GDPR cookie consent plug-in||To store user consent for the cookies in the category “strictly necessary”.||11 months|
|cookielawinfo-checkbox-non-necessary||GDPR cookie consent plug-in||To store user consent for the cookies in the non-necessary categories.||11 months|
|PHPSESSID||PHP applications||To store and identify a users’ unique session ID for the purpose of managing user sessions on the website. The cookie is a session cookie and is deleted when all the browser windows are closed.||Expires When the browsing session ends.|
|cookielawinfo-checkbox-others||GDPR cookie consent plug-in||To store the user consent for the cookies in the category “Other”.||11 months|
|CookieLawInfoConsent||GDPR cookie consent plug-in||Records the default button state of the corresponding category along with the status of CCPA. It works only in
coordination with the primary cookie, viewed_cookie_policy.contain values of both viewed_cookie_policy and
cookielawinfo-checkbox-necessary/cookielawinfo-checkbox-non-necessary along with CCPA values.
|cookielawinfo-checkbox-advertisement||GDPR cookie consent plug-in||To record the user consent for the cookies in the category “Advertisement”.||11 months|
|cookielawinfo-checkbox-functional||GDPR cookie consent plug-in||To record the user consent for the cookies in the category “Functional”.||11 months|
|cookielawinfo-checkbox-performance||GDPR cookie consent plug-in||To store the user consent for the cookies in the category “Performance”.||11 months|
|cookielawinfo-checkbox-analytics||GDPR cookie consent plug-in||To store the user consent for the cookies in the category “Analytics”.||11 months|
|_fbp||Facebook Analytics||To store and track visits across websites.||24 Hours|
|_ga||Google Analytics||Used to distinguish users.||2 years|
|_gat||Google Analytics||To throttle the request rate to limit the collection of data on high traffic sites.||1 minute|
|_gat_gtag_UA_145907203_1||Google Analytics||To store a unique user ID.||1 minute|
|_gid||Google Analytics||To store information of how visitors use a website and helps in creating an analytics report of how well the website is performing. The data collected includes number of visitors, and where those visitors have originated from.||24 hours|
|SAPISID||To collect user information for videos hosted by YouTube. An embedded YouTube-video collects visitor information and adjusted preferred settings. Google’s tag management system uses this cookie to measure and improve the customer experience.||2 years|
|APISID||To measure the number and behavior of Google Maps users.||10 year|
|HSID||Cookies called ‘SID’ and ‘HSID’ contain digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. The combination of these cookies allows Google to block many types of attack, such as attempts to steal the content of forms that a Customer completes on web pages.||1 day or maximum of 2 years|
|SID||To authenticate users, prevent fraudulent use of sign-in credentials, and protect user data from unauthorized parties. For example, cookies called ‘SID’ and ‘HSID’ contain digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time.||2 years|
|SIDCC||To protect a user’s data from unauthorized access.||2 years|
|SSID||To collect user information for videos hosted by YouTube.||2 years|
|SEARCH_SAMESITE||To prevent the browser from sending this cookie along with cross-site requests.||182 days|
|1P_JAR||To display personalized advertisements on Google sites, based on recent searches and previous interactions.||1 month|
|NID||To display personalized advertisements on Google sites, based on recent searches and previous interactions.||Session|
|OTZ||To help customize ads on Google properties, like Google Search.||1 month|
|fr||To deliver, measure and improve the relevancy of ads.||3 months|
|test_cookie||Advertisement||To determine if the users’ browser supports cookies.||15 minutes|
|IDE,DSID||Google AdWords||One of the main advertising cookies on non-Google sites is named ‘IDE’ and is stored in browsers under the domain doubleclick.net. Another is stored in google.com and is called ‘ANID’.||2 years|
|__Secure-3PAPISID ,__Secure-3PSID ,__Secure-3PSIDCC||Google AdWords||Builds a profile of website visitor interests to show relevant and personalized ads through retargeting.||2 years|
|cb_anonymous_id||AdRoll user related.||1 years|
|cb_user_id||AdRoll user related.||1 years|
|cb_group_id||AdRoll user related.||1 years|