Privacy policy | OPAY

Privacy policy

UAB OPAY solutions Personal Data Processing Policy

We, OPAY Solutions UAB, legal entity code 302664558 (OPAY), care about the protection and privacy of your personal data and take your privacy very seriously. Therefore, as your data controller, we aim to keep you fully informed about the processing of your personal data. We will collect, store and process all data in accordance with the General Data Protection Regulation (EU) 2016/679 (the “Regulation”), the Law on Legal Protection of Personal Data, as well as other legislation.

Our payment services may only work if we collect, store, transfer, erase and/or otherwise use (“process” or “processing”) data relating to you. Personal data means any information about you that you provide or that we receive from other sources and that identifies you (“data”), such as your name, bank account number, address or email address, etc.

Please take the time to review this Policy as it describes which of your data we collect and for what purposes we process it when you visit this website, intend to use it, use our payment services or apply for a relevant position at OPAY. It also contains important information about the protection of your data, in particular your legal rights. We may change this Policy from time to time and we encourage you to review this Policy periodically. If you have any questions, please do not hesitate to contact us using one of the methods set out below.

What data we collect and process about you

When the buyer makes a payment using OPAY payment services, we collect and process basic personal data such as your name, personal identification number (if you provide one), bank account number, shopping cart identification data, email address and other data that are necessary for the formation of the payment order and for the provision of information on the execution/non-execution of payment.

We may collect the following data from the client (merchant as a natural person, representative of a legal person, shareholder, beneficial owner, member of the board of directors or other managing body) in the context of concluding and executing contracts with us for the provision of payment services:

identification data, such as a copy of the person, a copy of the identity document and its details, the residential address, the IP address, the power of attorney held by the representative, a photograph, the log-in data to the self-service system, including the browser used on the device, the details of when and from where you logged on to the website of our self-service system, as well as any other information provided by you in order to prove that you have the right to use our services;

economic data, such as economic-commercial activity performed by you (e.g., if you are self-employed, etc.), the goods you sell, the address where you carry out your activity, the telephone number you use for your activity, your email address, etc.;

financial data, such as origin of funds, registered country for the payment of taxes, bank accounts, payment documents.

We may also process correspondence data of website visitors, payers and clients. This could include correspondence between you and OPAY, attached documents (e.g. signing of documents) and metadata related to the correspondence.

In certain cases of remote identification (e.g. using electronic devices that allow live video transmission), we process biometric data of the person making the remote identification through facial recognition image(s). Such biometric data shall only be processed during the process of remote identification for the purpose of proper identification of the client and shall not be recorded or stored separately. As biometric data is a special category of personal data, it requires the explicit consent of the person carrying out the remote identification in accordance with Article 9(2)(a) of the Regulation.

We may also process information that you provide when applying for a job or other position ("career data"). Career Data could include your name, email address, telephone number, information about your education and professional experience and other data that you provide in your CV or application. This and additional career data may also be provided to us by third parties (e.g. recruitment agencies) under confidentiality obligations.

OPAY reserves the right to investigate during the recruitment process information about your skills, experience or qualifications, comments and opinions made public on social networks such as LinkedIn, Facebook, Instagram and Twitter, and we may also obtain other personal data about you from credit reference agencies, criminal record checking bodies, sanctions checks and enquiries from your former employers.

Important: if you provide us with the data of other persons related to you, you should obtain the consent of those persons and make them aware of this Policy.

For what purposes we collect and use your personal data

We process payer data so that you can conveniently pay for the goods you wish to purchase and so that we can provide you with payment services.

We process the identification and economic data of clients and persons associated with them in order to identify and contact you and to properly fulfil our contractual obligations to our clients/merchants in order to ensure the prevention of money laundering and terrorist financing, as well as to comply with international sanctions legislation.

We collect and process clients' or payers' financial data to make sure that your activity and payments are legal and do not violate international and local laws, such as the Law on the Prevention of Money Laundering and Terrorist Financing.

The processing of biometric data is necessary for the implementation of legal provisions, specifically the requirements of the Law on Prevention of Money Laundering and Terrorist Financing and Article 6(1)(c) of the Regulation. As biometric data is a special category of personal data, according to Article 9(2)(a) of the Regulation, it requires the explicit consent of the person making the remote identification.

We process career data in order to implement the recruitment process. The legal basis for processing this data is the conclusion of a further employment contract between you and us and/or the steps taken at your request to conclude such a contract, as well as our legitimate interests, i.e. to take a decision on your recruitment and to ensure the continuity of business.

In order to send you general direct marketing offers, we collect and use your email address.

In order to communicate with you, for example, to respond to your questions and requests regarding the provision of the services, to receive your feedback, to send you important notifications (in relation to changes to this Policy or other documents) or to send you technical notifications, updates, security alerts, support and administrative messages, we process your contact details and the content of the notifications received and sent to you. This data is processed in the legitimate interest of OPAY's business activities - the proper administration of the website and business, the provision of uniform and quality advice practices and the effective handling of disputes. Correspondence data may also be collected and processed for the purposes of implementing the Prevention of Money Laundering and Terrorist Financing Act.

In order to ensure the remote provision of services in the self-service system, we store the IP address and other data that identifies you, the content of communication, the time and other technical data.

In order to adequately protect the legitimate interests of OPAY and any third parties, we will process data for the purposes of protecting ourselves against unlawful activities, in particular fraud, as well as for the purposes of prevention, detection and application of remedies, and for the prevention of cyber-attacks on the data we store and other threats to the integrity of the website, and for the protection of our own interests when resolving disputes, in the case of improper performance of contractual obligations, and for the purposes of enforcement, exercise and defence of our other rights.

Children's personal data

Our website and services are intended for persons over the age of 18 or otherwise who, under the laws of the relevant country, can accept responsibility for obligations arising from a contractual relationship and are fully capable of taking legal action.

If we have reason to believe that we hold personal data of a person under this age in our databases without the consent of the holder of the parental rights, we will delete this personal data.

What gives us the right to receive and use your personal data

We receive and use your personal data under at least one of the following conditions:

you use payment services provided by OPAY;

you intend to enter into or have entered into a contract for payment services provided by OPAY;

you have given your consent;

you want to get a job at OPAY;

processing of personal data is possible on the basis of legislation;

to pursue our other legitimate interests, such as, for example:

to improve the quality of our services so that they meet your expectations;

to take various legal actions (for example, to lodge a claim or otherwise to avoid or reduce losses).

Important: if you do not provide us with the personal data that are necessary for the conclusion or performance of the contract or for the provision of payment services, we will not be able to provide you with services.

Use of cookies

For more information about the cookies used on our website, please see Description of Cookies.

Where we get your personal data

We use the personal data that you provide to us when you apply for and use our services, fill in data forms, make requests or claims, and that we record in your self-service account.

We may also receive your personal data from the client/trader:

if you are a person related to the client/trader (agent, employee, counterparty, founder, shareholder, participant, owner, etc.);

if you buy goods from the customer/trader and pay for them using payment services.

Who we provide your personal data to

For the provision of specific services, OPAY may engage external service providers to undertake data processing procedures on our behalf and under our instructions. We choose these external service providers carefully and in accordance with the law. We aim to ensure that service providers comply with the Regulation, the laws, the Policy and other mandatory legal requirements. The relationship between us as a data controller and a particular data processor, except where such relationship is established by law or regulation, shall be set out in a written contract or in written terms and conditions.

We provide your personal data in accordance with the legal requirements. Your personal data may be transferred to payment and other service providers involved in the execution of your payment order, to courts or other dispute resolution authorities, to other third parties to the extent that it is related to the sale, merger, purchase or reorganisation of all or part of our business or similar business changes (including, but not limited to, potential or existing purchasers of the business and their advisers).

We may use various service providers as data processors to process the personal data referred to in this Policy, such as: data centre, cloud, website administration and related service providers, advertising and marketing service providers, software development, provision and support companies, information technology infrastructure service providers, network service providers, messaging, direct marketing and related service providers, professional advisors and auditors and other consultancy companies.

Some of these service providers may be located in countries outside the EU/EEA, where the level of data protection may be considered inadequate by the EU/EEA standards. Nevertheless, we have appropriate agreements (or other valid guarantees) in place with such service providers to ensure that all necessary measures will be taken to protect your data in accordance with applicable requirements. We will always provide additional information on our data security safeguards upon request (a copy of this information will be emailed to you).

Important: payment and other service providers involved in the execution of your payment order may be based or operating in a country that does not ensure an adequate level of data protection. In such a case, we will take all measures to ensure that your personal data are used securely, but there may be cases where we cannot ensure that the recipient of the data complies with the same requirements as in the EU.

How long we store your personal data

We store your personal data for no longer than is necessary for the purposes for which they were collected or for such period as may be required by law, for example:

we store the data of payers and traders for a further 10 years, but no longer than is necessary for accounting purposes, in accordance with the time limits set by law.

data obtained by means of cookies are stored until the end of the session or for another period of up to 2 years.

candidates' data are kept for a maximum of 3 months from the date of signing the contract with the selected candidate.

the identification data of traders are accordingly stored for 8 years after the termination of the business relationship, in accordance with the Law on Prevention of Money Laundering and Terrorist Financing. Correspondence from business dealings with a client must be kept for 5 years from the date of termination of the transaction or business relationship with the client.

How secure are your personal data

We continuously use various security technologies and procedures to protect your personal data from unauthorised disclosure or use. Therefore, we carefully select our suppliers and require them to use appropriate measures that can adequately protect the confidentiality of your personal data. Access to data is limited to those persons who need it for the purposes described in this Policy.

However, we would like to point out that the transfer of data over the internet or by email is not always completely secure and it is not possible to guarantee that third parties will not access it, so you should be careful when submitting information using a public computer.

However, we would like to point out to you that the transfer of data to us via a website or email cannot be completely secure unless you take precautions yourself. For example, if you transfer the data on a public computer or if your personal computer is infected with a virus or other malicious program.

What are your rights

You have the following rights:

the right to have access to your personal data processed by OPAY by receiving copies of such data;

the right to have incorrect, inaccurate or incomplete data corrected;

the right to restrict the processing of your personal data until the lawfulness of the processing has been verified at your request;

you have the right, in certain circumstances, to request the erasure of your personal data or restriction of the processing of your personal data;

the right to object to the processing of personal data for direct marketing purposes and where the processing is carried out for our legitimate interests;

the right to receive your personal data processed in a structured, commonly used and computer-readable format and the right, under certain conditions, to have those personal data transferred to another controller;

where the processing of personal data is based on consent, the right to withdraw the consent you have given without prejudice to the use of your personal data prior to the withdrawal of consent;

the right to lodge a complaint with the State Data Protection Inspectorate (for more information please see here.)

How you can exercise your rights

You may submit requests (including a request to exercise your rights), complaints or communications (“enquiries”) to OPAY using the contact details below.

We will respond to your enquiry no later than 30 days from the date of receipt thereof. In exceptional cases, where we need more time to respond fully to an enquiry we have received from you, we will respond no later than 60 days from the date of receipt of the enquiry, after giving you a prior notice.

If you are not satisfied with the final answer, you have the right to file a complaint with your local data protection authority. In Lithuania, complaints are handled by the State Inspectorate for Personal Data Protection. For more information on how to lodge a complaint with the Inspectorate, please click here.

Principles of personal data protection that we comply with

We comply with the following principles when collecting and using the personal data you entrust to us, as well as personal data obtained from other sources:

to process your personal data in a lawful, fair and transparent manner;

to collect your personal data for specified, clearly defined and legitimate purposes and not to further process them in a way that is incompatible with those purposes;

to ensure that your personal data are adequate, relevant and only necessary for the purposes for which they are processed;

to ensure that the personal data processed are accurate and, where necessary, updated;

to ensure that your personal data are kept in a form which permits identification of the individual for no longer than is necessary for the purposes for which your personal data are processed;

to ensure that your personal data are processed in such a way that appropriate technical or organisational measures are taken to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.