1.1. Data Controller – UAB “ConnectPay”, company code 304696889 (hereinafter – the Company), registered address at Algirdo str. 38, 03218, Vilnius, Lithuania. The Company is an electronic money institution authorized and regulated by the Lithuanian supervisory authority – Bank of Lithuania. The Company’s activities include the issuing of electronic money, the redemption of electronic money, issuing and/or acquiring of payment instruments, execution of payments transactions, payment initiation, and account information services. The license of the Company and all activities covered by it can be-checked here.
Principles of processing personal data
2.1. The Company commits to comply with the provisions of General Data Protection Regulation, the Law on Legal Protection of Personal Data of the Republic of Lithuania and other applicable Personal data protection regulations and legal acts in the Republic of Lithuania and the European Union.
- Personal data is collected for specified and legitimate purposes and will not be further processed in a way that is incompatible with those purposes established prior to the collection of Personal data.
- Personal data is processed in a lawful, honest, and transparent way.
- Personal data is accurate and, if necessary, for the processing of personal data, constantly updated.
- Personal data is collected only to the extent which is necessary to fulfil the specified legitimate purpose.
- Personal data is stored for the period specified by the Company, but not longer than the terms set forth by the applicable legal acts. When the storage term has expired, the Personal data will be destroyed.
- Implementation of adequate organizational measures designed to secure Personal data against accidental or illegal destruction, modification, disclosure, and any other illegal management.
- Implementation of measures designated for the prevention of the use of Personal data by persons seeking to acquire funds by fraudulent means.
- Profiling by automated means may be used when processing Personal data for some services and products for the purposes of risk management in accordance with the Company’s legal obligations.
Legal basis for Personal data processing and purposes
3.1. Personal data is only processed by the Company when the Customer has given consent and / or when the processing of data is necessary in order to fulfil the agreement to which the Customer is a party, or to take action at the request of the Customer prior to the conclusion of the agreement and / or to process the data necessary for the fulfilment of the legal obligation imposed on the Company.
3.2. The purposes of the processing of the Personal data are, as follows:
(a) The provision of any of the following Services:
- issuance, distribution and redemption of electronic money;
- execution of payment transactions;
- payment initiation and account information service;
(b) The conclusion and execution of agreements;
(c) Customer services, including responses to questions, feedback, complaints, and the provision of the information regarding the Company’s products or services.
(d) Implementation of obligations under the Law on Money Laundering and Terrorist Financing Prevention (Customer’s identification, ongoing monitoring of the Customer’s activity, risk assessment);
(e) Additionally, the Company may collect and process the Personal data of the Customer as part of its direct marketing operations.
3.3. Personal data collected for direct marketing purposes may be processed only in those instances where the Customer has given clear consent for such actions. Consent can only be collected in a manner in which it is clearly indicated that the Customer agrees with the processing of their Personal data for the purposes of direct marketing. Direct marketing is all activities by which the Company offers its goods or services to the Customer by post, telephone or other direct means. In the event that the Customer refuses consent to the processing of their Personal data for direct marketing purposes, their Personal data will not be processed for direct marketing purposes.
3.4. The Customer is granted the right to withdraw their consent given for the processing of the Personal data for the purposes of the direct marketing. The Customer may withdraw their given consent by sending a request via e-mail: firstname.lastname@example.org as well as by using the electronic channel which is dedicated to the management of the Customer’s account and for the communication with the Company.
Types and Sources of Processed Personal data
4.1. In accordance with the purposes specified above in points a, b, c and d, the following Personal data is processed by the Company:
a) Customers (natural persons) – first name, surname, personal code, date of birth, place of birth, nationality, age (year of birth), address, place of residence, identification card (passport) number, issuance place, date and expiry date, mobile phone number, email address, employment data, photo, signature, financial institution account number, IBAN number, debit card number, video and audio record for identification, telephone conversations, customer IP addresses, date of transaction, transaction amount, currency, location, data concerning the beneficiary of the funds, history of the actions performed, the source of funds, etc.;
b) Representatives of the clients (legal entities), members of the client’s management bodies and other representatives (for example, employees) who are authorized according to corporate documents to represent the client in relations with the data controller or acting in accordance with power of attorney, or by official appointment for the purposes of representing the client): first name, surname, personal code, date of birth, place of birth, nationality, age (year of birth), address, place of residence, identification card (passport) number, place of issuance, date and expiry date, mobile phone number, email address, employment data, photo, signature, bank account information (bank name and bank account number), date of transaction, transaction amount, currency, data concerning the beneficiary of the funds (natural person’s name, surname, date of birth, personal identification number or other unique character assigned to this person to identify the person, legal entity name, legal form, registered office address, code, if any), etc.;
c) Ultimate beneficiary owners of the clients (legal entities), natural persons who directly or indirectly own a legal entity with a sufficient number of shares or voting rights or otherwise exercise control): first name, surname, personal code, date of birth, place of birth, nationality, age (year of birth), address, place of residence, identification card (passport) number, place of issuance, date and expiry date, mobile phone number, email address, employment data, photo, signature, number of shares held, voting rights or share capital, date of transaction, transaction amount, currency, data concerning the beneficiary of funds (natural person’s name, surname, date of birth, personal identification number, or other unique character assigned to this person to identify the person, legal entity name, legal form, registered office address, code, if any), etc.
d) Customers of the Merchants (natural persons using payment initiation or account information services): first name, surname, mobile phone number, email address, unique Merchant Consumer ID, IBAN number, IP address.
4.2. The Company has the right to process Personal data other than that specified, provided that legitimate and predefined objectives for the processing of Personal data are established. In this case, Personal data is collected and processed in accordance with the applicable legal requirements and procedures established by the competent authorities.
4.3. The Personal data collected and processed for the purposes of the direct marketing is as follows: name, surname, the email address, mobile phone number and the address of the place of residence.
4.5. The Personal data of the Customer is obtained from the following sources:
- the Customer – Personal data of the customer is obtained at the beginning of the business relationship and may be further collected throughout the implementation of the contract;
- the commercial banks, or other credit and financial institutions – Personal data from commercial banks, other credit and financial institutions is obtained through execution of payment transactions;
- the Merchants – for payment initiation and account information services, Personal data is obtained from the Merchants, through the provision of payment initiation and/or account information service;
- other third-party providers such as state and non-state registers, databases for identity verification checks, international sanctions, law enforcement agencies, other databases and open-source engines. Personal data is obtained through the execution of such legal obligations as identification, due diligence processes, and required screenings.
Customer Personal data recipients
a) payment service users (payees and payers);
b) financial institutions (subject to the Customer’s consent and in the scope of the Personal data solely specified by the Customer);
c) agent of a payment institution;
d) the Bank of the Republic of Lithuania and the SEPA/International Interbank Financial Telecommunication System – SWIFT participant (personal data for these beneficiaries is subject to the use of the Single Euro Payments Area – SEPA/ SWIFT);
e) credit/debit card processing service provider;
f) identity verification service providers;
g) vendors of software development and support services;
h) transaction monitoring service providers;
i) risk management tools providers;
j) website domain hosting providers;
k) cloud service providers;
l) other suppliers;
m) law enforcement units, regulatory bodies or courts, in situations where the Company is required by law to do so.
5.2. Customer Personal data may be transmitted to third parties not specified above for specified and legitimate purposes only, and only to third parties who have the right established by laws and other legal acts to receive personal data in the countries of the European Union and the European Economic Area.
Data Retention Period
6.1. By law (Law on the Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania and in view of the statute of limitations) the Company has the right to store Personal data records for a maximum of 10 years after the termination of their business relationship with the Customer. Such records include Personal data such as Customer’s name, contact details, account details, transactional history, etc. Consent for direct marketing is valid until such time as the Customer has withdrawn it, but no longer than 5 years. For more detailed information on the specific retention periods applicable for other categories of personal data, please contact us directly.
Security of personal data
7.1. The Company implements necessary organizational and technical measures to protect the Customers’ personal data in transit and at rest from accidental or unlawful destruction, modification, disclosure, as well as any other unlawful handling.
8.1. Cookies are small text files, often including unique identifiers, which are sent by web servers to web browsers, and which may then be sent back to the server each time the browser requests a page from the server.
8.2. The Company has its own website, and cookies may be obtained in order to provide the Data subject with the full range of Services provided by the Company during website visits, and in order to improve the quality of the Services provided to the Data subject’s computer (device). The Company may use the following types of cookies:
- Strictly necessary cookies – these cookies are essential for the browsing of the website and use its features, such as accessing secure areas of the site. These cookies are mandatory and cannot be switched off.
- Functionality cookies —these cookies allow a website to remember choices the Customer has made in the past, like what language they prefer, or what their username and password are so as to facilitate automatic log in.
- Google Analytical cookies —these cookies record information such as how many pages a Customer has visited on this website, the traffic source that brought them to the website, and how much time they have spent on the page. This collected information is used to measure, monitor and improve website performance. No sensitive personal information is collected through Google Analytics. None of this information can be used to identify or contact the Customer. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. To find out about Google Analytics, click here. However, for Customers who still wish to opt out of Google Analytics cookies, more information can be found here.
- Facebook Marketing cookies – the Company may from time to time use Facebook Advertising, Facebook Pixel for remarketing and tracking purposes. This tool allows the Company to understand and deliver ads and make them more relevant to the Customer. The collected data remains anonymous and the Company cannot see the personal data of any individual user.
8.3. List of cookies used by us currently:
|Strictly Necessary Cookies|
|cookielawinfo-checkbox-necessary||GDPR cookie consent plug-in||This cookie is set by the GDPR Cookie Consent plugin and is used to store user consent for the cookies in the category “strictly necessary”.||11 months|
|cookielawinfo-checkbox-non-necessary||GDPR cookie consent plug-in||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store user consent for the cookies in the non-necessary categories.||11 months|
|PHPSESSID||PHP applications||This cookie is native to PHP applications. This cookie is used to store and identify a users’ unique session ID for the purpose of managing user sessions on the website. The cookie is a session cookie and is deleted when all the browser windows are closed.||Expires When the browsing session ends.|
|_fbp||Facebook Analytics||To store and track visits across websites.||24 Hours|
|_ga||Google Analytics||Used to distinguish users.||2 years|
|_gat||Google Analytics||This cookies is installed by Google Universal Analytics to throttle the request rate to limit the collection of data on high traffic sites.||1 minute|
|_gat_gtag_UA_145907203_1||Google Analytics||To store a unique user ID.||1 minute|
|_gid||Google Analytics||This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how well the website is performing. The data collected includes number of visitors, and where those visitors have originated from.||24 hours|
|SAPISID||SAPISID cookies enable Google to collect user information for videos hosted by YouTube. An embedded YouTube-video collects visitor information and adjusted preferred settings. Google’s tag management system uses this cookie to measure and improve the customer experience.||2 years|
|APISID||APISID cookie is used to measure the number and behavior of Google Maps users.||10 year|
|HSID||Cookies called ‘SID’ and ‘HSID’ contain digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time. The combination of these cookies allows Google to block many types of attack, such as attempts to steal the content of forms that a Customer completes on web pages.||1 day or maximum of 2 years|
|SID||These cookies allow a site to authenticate users, prevent fraudulent use of sign-in credentials, and protect user data from unauthorized parties. For example, cookies called ‘SID’ and ‘HSID’ contain digitally signed and encrypted records of a user’s Google Account ID and most recent sign-in time.||2 years|
|SIDCC||“SIDCC” is a security cookie to protect a user’s data from unauthorized access.||2 years|
|SSID||AHSID, SSID, APISID and SAPISID cookies enable Google to collect user information for videos hosted by YouTube.||2 years|
|SEARCH_SAMESITE||This cookie is used to prevent the browser from sending this cookie along with cross-site requests.||182 days|
|1P_JAR||These cookies are used by Google to display personalized advertisements on Google sites, based on recent searches and previous interactions.||1 month|
|NID||These cookies are used by Google to display personalized advertisements on Google sites, based on recent searches and previous interactions.||Session|
|fr||This cookie is used to deliver, measure and improve the relevancy of ads.||3 months|
|test_cookie||Advertisement||This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users’ browser supports cookies.||15 minutes|
|IDE,DSID||Google AdWords||One of the main advertising cookies on non-Google sites is named ‘IDE’ and is stored in browsers under the domain doubleclick.net. Another is stored in google.com and is called ‘ANID’.||2 years|
|__Secure-3PAPISID ,__Secure-3PSID ,__Secure-3PSIDCC||Google AdWords||Builds a profile of website visitor interests to show relevant and personalized ads through retargeting.||2 years|