Privacy Policy

Who is the data controller and how can you contact the DPO? 

Satispay Europe S.A. (“Satispay” or “we” or “us”) is a financial regulated intermediary that acts as an electronic money institution (“EMI”) authorized under the laws of Luxembourg. 

At Satispay, we take the protection of personal data seriously. As a data controller, Satispay follows the applicable laws on data protection to make sure we handle personal data correctly when providing our services.

Satispay has appointed a data protection officer (“DPO”) who may help with any questions about the data processing we carry out and/or how to exercise your rights. You can reach our DPO at dpo@satispay.com.

Whose personal data does Satispay process?

Satispay processes personal data concerning a range of individuals (“Data Subjects” or “you”), including:

  • consumers/merchants using the services (“Users”);
  • merchants’ legal representatives and/or ultimate beneficial owners; 
  • prospective Users;
  • individuals aged 14 to 17 seeking parental and/or guardian approval to complete the sign-up and use the services, as well as relatives, guardians and associates of such prospective Users;
  • suppliers, partners and service providers;
  • individuals whose personal data are shared with us by Users when using our services (like phone contacts saved in phone books);
  • individuals who contact Satispay for information via social networks and/or other communication channels. 

How does Satispay collect personal data?

Satispay is committed to collecting only personal data strictly necessary for the pursuit of its purposes. In particular, Satispay collects personal data:

  • from Users during the sign-up process and their usage of our services (heads-up: users between 14 to 17 must always share their parent/guardian’s personal data as part of their registration process);
  • from other Data Subjects via phone, email or social media;
  • from third-party companies that have provided guarantees on the lawfulness of the collection;
  • through checks that Satispay carries out to ensure the accuracy of the received information.

What types of personal data does Satispay process? For what purposes and on what legal basis?

“Personal data” refers to any information capable of identifying directly or indirectly a natural person. In particular, Satispay processes personal identification data (like name, surname, home address, tax code, user ID, photo, age, etc.), contact information (like phone number, email address), financial data (bank account details), as well as other specific data tailored and necessary for each purpose. We only process special categories of personal data (so-called “sensitive data”, like biometric data) where expressly required by law or in case of public interest. 

Below, we detail the types of personal data we process, why we do it and the legal grounds:


Purpose

a) To enable sign-up and provide the services requested by the Users, including service-related communications.

Legal basis

Processing is necessary for the performance of a contract or to take steps at the Users’ request before entering into a contract (art. 6.1, lett. b, GDPR). Plus, we have a legitimate interest in ensuring our services are as effective and efficient as possible (art. 6.1, lett. f, GDPR).

Types of data

  • personal identification data; 
  • contact information;
  • financial data; 
  • some data generated through the use of services, including browser and device information and IP address.


Purpose

b) To prevent and detect financial crimes and fraud, as well as combat terrorism to ensure the service security. To this end, Satispay also uses machine learning models as a measure to better identify potential risks and enforce protective actions against certain Users.

Legal basis

Processing is necessary to comply with legal obligations to which Satispay is subject (art. 6.1, lett. c, GDPR). Plus, we have a legitimate interest in avoiding financial crime and safeguarding our business (art. 6.1, lett. f, GDPR).

Types of data

  • personal identification data; 
  • contact information;
  • financial data;
  • some data generated through the use of services, including browser and device information, IP address.


Purpose

c) To comply with the legal obligations established for all the EMIs, such as verifying Users’ identity and reporting suspicious activities to competent authorities. To this end, Satispay also uses technologies that enable remote automated recognition.

Legal basis

Processing is necessary for the performance of a contract or to take steps at the Users’ request before entering into a contract (art. 6.1, lett. b, GDPR), as well as to comply with legal obligations to which Satispay is subject (art. 6.1, lett. c, GDPR). Plus, we process biometric data to perform a task in the public interest (art. 9.2, lett. g, GDPR).

Types of data

  • personal identification data; 
  • contact information;
  • financial data; 
  • biometric data;
  • some data generated through the use of services, including browser and device information, IP address.


Purpose

d) To send communications to:

  • teach new Users about the functionalities of our app;
  • inform Users on current services, updates on our app, and/or new features related to the services they’ve been using.

Legal basis

We have a legitimate interest in increasing the use and awareness of the services (art. 6.1, lett. f, GDPR). Any direct marketing activities are carried out without the prior consent of the Users when allowed by applicable law.

Types of data

  • personal identification data;
  • contact information; 
  • financial data;
  • some data generated through the use of services (like balance/budget set, account activation date, date of the first transaction, number of transactions within a certain period).


Purpose

e) To send promotional communications to:

  • promote the services, even through profiling activities;
  • conduct marketing campaigns;
  • inform Users about new partnerships with third parties, by promoting the products/services of these third-party companies.

For this purpose, Satispay may also use machine learning models that help optimize the content of promotional campaigns. For Users under 18, Satispay limits profiling to be less intrusive.

Legal basis

Processing is based on the prior consent of the Users (art. 6.1, lett. a, GDPR).

Types of data

  • personal identification data;
  • contact information;
  • some specific data generated through the use of services (like balance/budget set, account activation date, date of first transaction, number of transactions within a certain period);
  • data about participation in some previous promotional campaigns.


Purpose

f) To carry out statistical and trends analyses aimed at improving the services and giving Users the best user experience possible.

Legal basis

We have a legitimate interest in improving its services (art. 6.1, lett. f, GDPR). For this purpose, personal data may also be aggregated and/or anonymized in such a way that identification of Data Subjects is no longer possible.

Types of data

  • personal identification data;
  • financial data;
  • some data generated through the use of services (like balance/budget set, account activation date, first transaction date, number of transactions within a certain period);
  • data generated through the interaction with previous communications.


Purpose

g) To follow up on requests or communications of any nature coming from Data Subjects.

Legal basis

Processing is necessary for the performance of a contract or to take steps at the Users’ request before entering into a contract (art. 6.1, lett. b, GDPR). Plus, we have a legitimate interest in properly replying to requests or communications coming from Data Subjects  (art. 6.1, lett. f, GDPR).

Types of data

  • personal identification data;
  • contact information.


Purpose

h) To establish, exercise or defend Satispay’s rights and/or those of its employees, as well as to carry out corporate transactions (e.g., in case of bankruptcy, merger, acquisition, reorganization, sale of assets, and/or assignments).

Legal basis

We have a legitimate interest in establishing, exercising or defending our rights and/or the rights of our employees, as well as in carrying out transactions essential for our business (art. 6.1, lett. f, GDPR).

Types of data

  • personal identification data.

To find out how Satispay processes personal data through the use of cookies and similar technologies, please see the cookie policy available here.


Who can receive personal data?

Only where strictly necessary, Satispay may share personal data with:

  • other Users for service-related reasons (like, payment to merchants, P2P);
  • service providers for IT, communication, compliance, customer support and management;
  • our staff, including Satispay group’s staff (who provide intercompany services), and business partners for service-related reasons;
  • suppliers of commercial information;
  • where requested, parents, guardians or associated people with Users;
  • where requested, regulatory authorities, financial institutions (like banks and regulated payment services providers), competent courts, law enforcement agencies (including the police), public administrations.

These recipients may act as autonomous data controllers or as data processors. Data processors follow Satispay’s instructions.

Where is data stored and where may it be transferred?

Personal data is stored on servers located in the European Union. If needed for specific purposes, personal data is also transferred to companies located outside the European Union. In this case, Satispay ensures that the data is processed safely and that it has entered into agreements that guarantee an adequate level of protection and/or include the standard contractual clauses provided by the European Commission.

How does Satispay ensure the security of personal data?

Satispay has set up strong internal data security measures as well as technical and organizational measures (like encryption, pseudonymization and anonymization) to keep personal data safe from accidental loss, misuse, alteration, destruction and/or unauthorised access.

Special measures are implemented to safeguard data concerning minors, enhancing their protection and security.

How long does Satispay retain personal data?

Satispay keeps personal data as long as needed to fulfil specific purposes and comply with applicable laws (such as tax or anti-money laundering laws). In particular: 

  • for the purpose outlined in letter a) above, we keep your personal data for the duration of our agreement; 
  • for the purposes mentioned in letters b), c), g) and h) above, we keep your personal data as long as necessary and as required by applicable law. In particular, for anti-money laundering and terrorism prevention, the law requires us to hold such data for 5 years after our services to you end; 
  • for the purposes outlined in letters d) and f) above, we keep your data until you ask us not to use it anymore or request its deletion and, in any case, no longer than the duration of our contractual relationship;
  • for the purpose mentioned in letter e) above, we keep your data until you withdraw the consent or request for the data to be deleted and, in any case, no longer than the duration of our contractual relationship.

In any case, personal data may be stored longer in the event of disputes or requests by the competent authorities.

Which rights may you exercise?

You may exercise at any time the following rights:

  • the right to know whether your personal data are being processed, and, if this is the case, access it (right of access);
  • the right to correct inaccurate or outdated personal data (right to rectification);
  • if possible, the right to obtain the erasure of your personal data (right to erasure). To this end, you may also use the “Delete Account” option within the Satispay app;
  • if possible, the right to limit data processing (right to restriction of processing);
  • the right to receive and share your personal data with another controller in a common format (right to data portability);
  • if possible, the right to object to data processing based on legitimate interest (right to object). If you wish to opt-out from direct marketing communications, you can also click on “Unsubscribe” at the bottom of each communication or use the “Notifications” section in the app;
  • right to withdraw consent for specific data processing activities. You may click on “Unsubscribe” at the bottom of each communication or through the “Notifications” section in the app.

To exercise your rights, you may contact support@satispay.com or dpo@satispay.com.

You also have the right to lodge a complaint with the relevant Data Protection Authority. However, we encourage reaching out to us first to resolve any issues amicably and promptly.

Need help?

We remain at your disposal for any further information.
Contact us

Mobile lost or stolen?
Block your account

Flag
Italy

Satispay Europe S.A. | 53, Boulevard Royal, L-2449 Luxembourg | VAT LU30726739 | a company of the Satispay S.p.A. Group

Electronic Money Institution authorized and regulated by the CSSF, register number: W00000010.