Which entity is the data controller and how will use your information

Satispay Europe S.A. (“Satispay”) is a financial regulated intermediary which acts as electronic money institution (“EMI”) authorized under the laws of Luxembourg. Satispay is, therefore, subject to the strict compliance of the laws and regulations applicable in this country and to the supervision of the competent authority of Luxembourg namely the Commission de Surveillance du Secteur Financier (additional information available at http://www.cssf.lu/).

Satispay, according to Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data (the “Regulation”), wishes to inform you about the way the information referring to users of the website and the Satispay services (the “Services”) is processed.

Satispay is the data controller of the processing of the User / Merchant personal data. Satispay has also appointed a data protection officer that the User / Merchant can contact at the email address dpo@satispay.com for information on the processing of his or her personal data or the rights that can be exercised.

As an EMI, operating from Luxembourg but with services in a number of European Economic Area (EEA) countries, Satispay will only process (i.e. collect, store and use) personal data of the User / Merchant in a manner that is compatible with the applicable law fairly and lawfully.

Satispay aims to collect data and information in an accurate, relevant and appropriate manner to the purpose for which this collection is necessary, without requiring unnecessary information.

This policy applies to the processing of personal data of Satispay Users / Merchants within all the services (present and future).

Additionally, this Privacy Policy also governs the processing of personal data relating to any User / Merchant and any individual not yet User / Merchant who asked Satispay for information, even of promotional nature, on Satispay, the industry in which it operates and its Services, including information on the Satispay projects delivered through social networks and other channels. 

What is a Privacy Policy?

To ensure that we process your personal data fairly and lawfully we want to inform the User / Merchant and any data subjects:

• why we need your data;
• how it will be used; and
• who it will be shared with.

This is the purpose of the Privacy Policy of Satispay.

How does Satispay collect personal data?

Personal data that Satispay collects about the User / Merchant come from:

• information given to us as part of the download and sign-up application process to allow to give the User / Merchant access to the Services;
• information that the User / Merchant has given us over the telephone, via email or social media;      
• details of any checks Satispay has made to ensure the accuracy of the information held; and
• information given to us to receive newsletter and/or other information from Satispay.

With the consent of the User / Merchant, Satispay may access information about his/her contacts of the phonebook or recorded in the context of the email, messaging, social network services joined by the same and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts) in order to allow the User / Merchant to invite other people to download the Satispay app and/or send them money and request the Services offered by Satispay. In this case, Satispay will process this information for the sole purpose of sending the invitation. Satispay will only process information relating to the contacts chosen by the User / Merchant.

Satispay could also collect information relating to individuals not yet User / Merchant in relation to requests of information, even of promotional nature, on Satispay, the industry in which it operates and its Services, including information on the Satispay’s projects delivered through social networks and other channels.

What is “personal data”?

“Personal data” refers to any information useful to identify a natural person directly or indirectly, that is already held by Satispay or which the latter could come into possession of.

Examples of personal data include:

• names and surname;
• home address details;
• tax code;
• bank account details;
• date of birth;
• telephone number;
• information contained in the identity card or other document with similar purposes;
• email address;
• location.

Data generated through the use of our Services are personal data as well, such as:

• information on the browser and on the device;
• IP address;
• data on the use of the app and the Services;
• information collected through cookies and other technologies, provided by you and that do not reveal your specific identity.

What types of personal data does Satispay handle?

Satispay does not handle special categories of data but it processes the other types of data mentioned above. In particular, in order to carry out its duties as EMI, Satispay is required to request personal data such as names, dates of birth, addresses, telephone numbers, email addresses, bank account details and other useful documents to verify the identity of the User / Merchant.

Satispay uses the other information mentioned in the previous paragraph to provide its Services and comply with the legal obligations provided as EMI.

In relation to the use of data of the User / Merchant for direct marketing purposes, Satispay adopts the principle of minimization. Satispay may propose promotional offers based on data such as, for instance, your place of residence or the volume of transactions carried out in a certain period. These activities have been carefully evaluated and considered as not invasive and detrimental to the rights and fundamental freedoms of the User / Merchant.

In order to allow Users / Merchants to invite their contacts of the phonebook or recorded in the context of the email, messaging, social network services joined by the same and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts), Satispay will use only the minimum identification and contact information of the subjects chosen by the User / Merchant (name, surname, email and / or telephone number). The minimum dataset may change in relation to the terms and conditions of the third party company providing the relevant email, messaging, social network service.

With reference to the information relating to individuals not yet User / Merchant, it includes the details requested within the relevant data collection forms and are usually limited to identification data (name, surname, VAT number) and contact data (email address and/or phone number, as the case may be). 

Why does Satispay process personal data?

Satispay processes data of the User / Merchant for the following purposes:

• to provide the e-money transfer service requested by the User / Merchant and therefore to fulfil the obligations assumed under the agreement for the provision of Services (including the geolocation of the device);
• to prevent and detect financial crime, fraud, fight the terrorism and, more in general, the access to Services by those who could jeopardize their security and therefore to fulfil legal obligations and also under a legitimate interest of Satispay;
• to comply with the legal obligations established for all the EMIs, entities acting in a regulated market (for example in order to verify the User’s / Merchant’s identity, report any suspicious activity to the competent authorities, retain Users’ / Merchants’ data in order to comply with legal obligations);
• to promote and/or provide information on Services via email and push notifications (or any other channels) on the basis of Satispay’s legitimate interest and according to the criteria of minimum segmentation, having assessed that the User / Merchant is interested in obtaining information from the Service provider and that this does not have a particular impact on his or her rights and freedom; some push notifications, fully attributable to the Services because related to the use of the same or to information as, for example, the dispatch or confirmation of payments, may also be sent since they are necessary for the execution of the agreement for the provision of the Services; 
• to conduct campaigns relating to the Services on the basis of Satispay's legitimate interest and according to the criteria of minimum segmentation, having assessed the potential benefits for the User / Merchant belonging to the target segment for the above mentioned campaigns and that this does not have a particular impact on his or her rights and freedom;
• to fulfil legal obligations (for example, tax and anti-money laundering laws);
• to improve the Services and functionality of the website and the app and to carry out statistical and trends analysis, also through collection of information on website and app usage and on channels originating Users on the basis of a legitimate commercial interest of Satispay that does not have significant impacts on the User / Merchant. Furthermore, for the same purposes and to realise campaigns relating to the Services, the Users’ / Merchants’ data may be aggregated and/or anonymised in such a way that the identification of individuals is no longer possible. Such anonymised or aggregated information may be shared with potential commercial partners of Satispay, actual or prospective Merchants or other third parties on the basis of a legitimate commercial interest of Satispay and taking into account the impossibility to associate such information with specific individuals;
• to follow up any User / Merchant requests.

The personal data collected may also be processed in the context of any corporate events (sale of the company or going concerns), due diligence exercises, in the event of defense of legal claims and related prodromal activities.

Satispay also makes available to Users / Merchants the opportunity to invite some or all their contacts to download the Satispay app and/or to send them money and request the services offered by Satispay. In this case, where the User / Merchant has granted his / her consent, the third party personal data recorder in the context of the phonebook or of the email, messaging, social network services joined by the same and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts), can be processed in order to send a communication concerning the invitation to download the Satispay app and/or to send them money and request the Services offered by Satispay to the contacts chosen by the User / Merchant. The aforementioned processing is carried out to allow the User / Merchant to select the contacts as addressees of the invitation. Contacts that have not been selected by the User / Merchant will not be saved and further processed by Satispay.

With reference to the data relating to individuals not yet User / Merchant, they are processed to follow up any requests of details, even of promotional nature, on Satispay, the industry in which it operates and its Services, including information on the Satispay’s projects delivered through social networks and other channels.

Whose personal data does Satispay handle?

In order to carry out our duties as an EMI, Satispay processes personal data from a range of individuals. This includes:

• Users;
• Merchants;
• relatives, guardians and associates of the individual concerned;
• staff including volunteers, agents, temporary casual workers, members, self-employed and other persons contracted to work on Satispay’s behalf;
• suppliers;
• complainants;
• individuals which personal data are provided by Users/Merchants in the context of the provision of the Services;
• individuals who are not yet User / Merchant asking Satispay for information, even of promotional nature, including information on the Satispay’s projects delivered through social networks and other channels. 

In addition, in order to allow the delivery of the invitation to download the Satispay app and request the Services offered by Satispay to the contacts in the phonebook or recorded in the context of the email, messaging, social network services joined by the User / Merchant and provided by third party companies (for example Gmail, WhatsApp, Facebook or other social network contacts), Satispay processes the personal data of:

• the telephone contacts in the User/Merchant phonebook, also when such contacts use messaging and / or social network services; and/or
• the contacts of the User/Merchant linked to an email and / or social network account.

Whom may personal data being shared with?

Satispay obtains and shares personal data by and with several entities, which include:

• Merchants (as part of the provision of the Services requested by Users; in particular, for security reasons, at the time of payment only a minimum dataset of the User is disclosed to the Merchant);
• other Satispay’s Users;
• IT service providers;
• personnel, including volunteers, agents, casual workers, partners, self-employed workers and persons working under contract on Satispay’s behalf;
• complainants;
• suppliers of commercial information;
• service providers for adequate customer verification;
• companies of the Satispay group;
• any Satispay business partners in the provision of the Services requested by the User / Merchant;
• relatives, guardians or associated people with the data subject;
• licensing authorities;
• financial institutions (e.g. banks and regulated payment services providers);
• third party data processors that work on Satispay’s behalf;
• where requested, the competent courts;
• where requested, law enforcement agencies (including the police);
• where requested, public administrations and regulatory authorities.

All these entities act as autonomous data controllers or have been authorized by Satispay where they act on its behalf (as data processors).

If this is instrumental to the pursuit of the purposes set out above, personal data may also be transferred abroad to companies located both within and outside the European Union. Some of these jurisdictions may not guarantee the same level of data protection guaranteed by the country in which the data subject resides. In this case, Satispay undertakes to ensure that the data is processed with the utmost confidentiality, stipulating, if necessary, agreements that guarantee an adequate level of protection and / or adopting the standard contractual clauses provided by the European Commission.

Information held is only shared with those entities which have a “need to know basis”.

Where you engage a regulated third party payment services provider (the “TPP”) to access to your Satispay account for account information, confirmation on the availability of funds or payment initiation services, Satispay will share with the TPP, subject to your consent, the relevant information on your Satispay account, including, as the case may be, the transaction history and the availability of funds, the initiation of the payment transaction on your behalf and the execution of such payment transaction. The data received by the TPP will include your personal data (for example, your Satispay ID, your Satispay account balance and currency and your payment transaction history details, including the Satispay ID of the payments’ beneficiaries). Satispay will transfer the personal data described in this section to follow up any of your request and to comply with the legal obligations established for all payment services providers. How does Satispay ensure the security of personal data?

Satispay takes the security of the data subjects’ personal data held very serious. For this purpose, Satispay has set up data security procedures and an Information Security Policy to ensure that all data is protected from accidental loss or misuse. Satispay only permits access to information where there is a legitimate reason to do so.

Satispay is also bound by strict confidentiality obligations, as well as professional secrecy.

What if the data Satispay holds about you is incorrect?

It is important that the data held by Satispay is accurate and up to date. If the data provided to Satispay will change, please contact Satispay (support@satispay.com or via social media) immediately so that it can update its records.

How long does Satispay store the data?

Personal data will be stored in compliance with the applicable laws, for a period of time not exceeding what is necessary to achieve the purposes for which they are processed. The criteria for determining the data retention period take into account the lawful processing period and applicable laws (for example, tax or anti-money laundering laws), the statute of limitation periods and the nature of legitimate interests where they are the legal basis of the processing.

Personal data may be stored for a longer period than the one originally planned, in the event of any disputes or requests by the relevant Authorities.

Your information is only held for as long as necessary and will be disposed of in a secure manner when it is no longer needed.

Which rights can the data subject exercise in relation to the information processed by Satispay?

Any data subject (namely any User / Merchant as well as those who are not yet User / Merchant but have requested information and provided their personal data to Satispay) may exercise specific rights, including to obtain from the data controller:

• confirmation as to whether or not personal data concerning him or her are being processed, and, should this be the case, access to the personal data (right of access);
• the rectification of inaccurate personal data concerning him or her (right to rectification);
• the erasure of personal data concerning him or her, in the event that one of the grounds provided for by art. 17 of the Regulation applies (right to erasure);
• the restriction of processing where one of the grounds provided for by art. 18 of the Regulation applies (right to restriction of processing);
• to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller from the controller to which the personal data have been provided (right to data portability).

Any data subject has the right to withdraw the consent to the processing of his or her personal data (if this was given) at any time, without prejudice to the lawfulness of the processing based on consent before its withdrawal.

Furthermore, any data subject has the right to object to the direct marketing activities carried out by Satispay, including any segmentation for marketing purposes. As regards the management of push notifications, where active, this must be done through the settings of the devices of the User / Merchant.

In case of IOS devices, the relevant operating system provides for a consent request, during the download of the app and registration to access the Services, in order to send the push notifications and to use tracking technologies for analytics on app download and usage. As described above, in Satispay’s opinion other legal basis justify the dispatch of such communications and the use of such technologies. However, as of today, for technical reasons this is the only way to authorise push notifications or the collection of information on app download and usage on IOS devices. Accordingly, in the absence of push notification consent, the User will not be able to receive, for example, information relating to the receipt of money from other Users, the dispatch or confirmation of a payment, the existence of a new functionality in the app and, in the absence of tracking technology consent, for example, it will not be possible to analyse app usage data to improve functionalities and Services. On the contrary, the operating system of Android devices, in line with the legal basis previously mentioned, does not require the granting of a consent, during the download of the app and registration to access the Services, neither to receive the notifications in app nor to use such tracking technologies. The User is, in any case, free to handle separately at any time both the push notifications and the tracking through the settings of his Android device and to disable or reactivate the same according to his own preference.

Any personal data provided by the User from the early stage of download of the app (e.g. name, surname, email address, phone number) will be stored by Satispay as long as it is necessary in order to comply with legal obligations provided under the relevant anti-money laundering and terrorism prevention laws applicable to an EMI. Accordingly, the request for erasure of the personal data provided from the early stage of the download of the app will be followed up with reference to those purposes of the data processing which are different from those deriving from the above-mentioned legal obligations. Where Satispay is prevented to proceed with the request of erasure, Satispay specifies the following:

• Satispay shall retain personal data for a period of 5 years starting from the moment in which the Services are terminated and exclusively for anti-money laundering and prevention of terrorism purposes as provided under the applicable law;
• Satispay will allow the access to personal data conferred by the User / Merchant as long as it is obliged to retain them, only to its competent anti-money laundering, legal and compliance functions and to comply with potential requests of the competent authorities;
• Satispay will comply with the relevant data subject request after 5 years from the moment in which the Services are terminated.

To exercise his or her rights, the data subject can write to the email address support@satispay.com or use the dedicated tools in the app.

Sometimes Satispay will not be able to provide with all the requested information and follow up the User / Merchant requests, due to the obligations deriving from the EMI qualification. Anyway Satispay will make every reasonable effort to follow-up to the requests of the Users / Merchants and any data subjects.

According to the Regulation, Satispay is not authorized to charge costs for fulfilling one of the requests set out in this paragraph, unless they are manifestly unfounded or excessive, in particular because of their repetitive character. In cases where the data subject requires more than one copy of his or her personal data, or in cases of excessive or unfounded requests, Satispay may (i) charge a reasonable fee, taking into account the administrative costs of providing the information or (ii) refuse to act on the request. In these cases, Satispay will inform the data subject of the costs before processing the request.

Satispay may request further information before processing requests if it needs to verify the identity of the individual who does the submission.

Without prejudice to any other administrative or judicial appeal, the data subject shall also have the right to lodge a complaint with the competent Supervisory Authority (Commission nationale pour la protection des données), if he or she considers that the processing concerning him or her is done in violation of the Regulation. Further information is available on the website https://cnpd.public.lu/en.html.

In any case, Satispay is interested in being informed of any grounds for complaint and invites any data subject to use the above mentioned contact channels before referring to the supervisory authority, so as to be able to prevent and resolve any disputes in a friendly and timely manner, with the utmost courtesy, seriousness and discretion.

Links to external websites

Satispay may provide links to other content such as websites, web apps and downloadable apps. Unless expressly stated, this content is not under Our control. Satispay neither assumes nor accepts responsibility or liability for such third party content. The provision of a link by Satispay is for reference only and does not imply any endorsement of the linked content or of those in control of it.