Data protection policy

1. The principles how Papaya processes personal data are described in this Policy.

   The Policy apply if you visit our Website or/and use, have used or have expressed an intention to use or are in other way related to any of the services provided by us.

   1. Definitions

   “Biometric data” means Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images.

   “Controller” means a person which determines the purposes and means of the Processing of Personal data.

   “Personal data” means any information about personal or factual circumstances of a specific or identifiable natural person, such as e.g. name and surname, date of birth, place of birth, identification document (including type of identification document, issue date, ID number, issuing authority), address, telephone number, mobile phone number, e-mail address, IP address, online identifier, location data, images and information on transactions and accounts.

   “Policy” means this Data protection policy.

   “Processing” means any operation carried out with Personal data (incl. collection, recording, storing, alteration, grant of access to, making enquiries, transfer, etc.).

   “Processor” means a natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller.

   “Profiling” means any form of automated processing of Personal data consisting of the use of Personal data to evaluate certain personal aspects relating to you, in particular to analyse or predict aspects concerning that your performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

   “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

   “Third party” means a natural or legal person, public authority, agency or body other than you, we (asa Controller), Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data.

   “we”, “us” or “our” or “Papaya” means Papaya Ltd., registered with the Registrar of Companies in Malta, with registered office: 31 Sliema Road, Gzira GZR 1637, Malta, and registration no. C 55146. VAT No.: MT 2075 1731; Papaya’s head office is located at 31 Sliema Road, Gzira GZR 1637; electronic mail address - info@papaya.eu. Papaya Ltd is Electronic Money Institution (EMI), headquartered in Malta and regulated by the Malta Financial Services Authority (MFSA).

   “Website” means Papaya’s website at www.papaya.eu.

   “you” or “your” refers to individual who use, have used or have expressed an intention to use or are in other way related to any of the services provided by us.

2. 2. General provisions

   1. The purpose of this Policy is to inform you about Processing of your Personal data.
   2. By giving us your Personal data, you consent to us processing that Personal data for the purposes stated in this Policy.
   3. We ensures, within the framework of applicable law, the confidentiality of Personal data and has implemented appropriate technical and organisational measures to safeguard Personal data from unauthorized access, unlawful Processing or disclosure, accidental loss, modification or destruction.
   4. We may use authorised Processors for Processing of Personal data. In such cases, we take needed steps to ensure that such data processors Process Personal data under our instructions and in compliance with applicable law and requires adequate security measures.
   5. We are not responsible for the processing of Personal data by any person acting as a data controller, and such processing is not covered by this Policy.

3. 3. Data controller

   1. The controller of personal data we collect, process and use pursuant this policy is:
      1. Papaya Ltd., registered with the Registrar of Companies in Malta, with registered office: 31 Sliema Road, Gzira GZR 1637, Malta, and registration no. C 55146. VAT No.: MT 2075 1731; Papaya’s head office is located at 31 Sliema Road, Gzira GZR 1637; electronic mail address - info@papaya.eu. Papaya Ltd is Electronic Money Institution (EMI), headquartered in Malta and regulated by the Malta Financial Services Authority (MFSA).

         Representative: Mr. Marko Dronjaks, Head of Compliance (marko@papaya.eu).

4. 4. Categories of personal data

   1. Personal data may be collected exactly from you, from your use of the services, from external sources (public and private registers, open sources) or other third parties. Personal data categories which we primarily, but not only, collect and processes are:
      1. Identification data: name, and surname, date of birth, place of birth, identification document (including type of identification document, issue date, ID number, issuing authority), your selfie (photo).
      2. Contact data: address, telephone number, mobile phone number, e-mail address.
      3. Data about tax residency: data about the country of residence, tax identification number, citizenship.
      4. Family data: information about your family and other related person’s.
      5. Professional data: educational or professional career, occupation.
      6. Financial data: accounts and accounts data, payment instruments and payments instrument data, ownership, transactions, credits, income, liabilities, your financial experience and reputation, as well as other related data collected during the provision of services.
      7. Data on origin of assets or wealth: data regarding you transaction partners and business activities.
      8. Data about due diligence: data about payment behavior, data that enables us to perform our due diligence measures regarding money laundering and terrorist financing prevention and to ensure the compliance with national and international sanctions.
      9. Data processing by performing an obligation arising from law: data resulting from enquiries made by investigative bodies, notaries, tax administrator, courts and bailiffs.
      10. Communication data: data collected when you visit us or communicate with us via telephone, visual and/or audio recordings, e-mail, messages and other communication mechanisms, data related to your visit at Website or communicating through other channels (for example, mobile application).
      11. Data related to contractual obligations: the performance or the failure of the agreements, executed transactions, usage of ATMs, submitted applications, requests and complaints, service fees and charges.
      12. Data about the relationships with legal entities: data for the execution of transactions on behalf of the legal entity in question.
      13. Location data, for example, GPS coordinates.
      14. Information Technology data, for example, IP address, online identifier, information about device.
      15. Special categories of data, for example, Biometric data, such as facial images.

5. 5. Purposes of processing

   1. We collect your personal data primarily for the following purposes:
      1. the performance of contractual and pre-contractual obligations: handling (processing) of your application for services prior to entering into an agreement; conclusion and execution of agreements; keeping Personal data updated and correct by verifying and enriching through external and internal sources based on performance of an agreement or in order to take steps at your application prior to entering into an agreement or compliance with a legal obligation;
      2. the protection of your und our interest: assurance and examine the quality of services provided by us; providing proof of a transaction or of communication based on the performance of an agreement or in order to process your application prior to entering into an agreement or compliance with a legal obligation or your consent or our legitimate interests to prevent, limit and investigate any misuse or unlawful use or disturbance of our services; our legitimate interest to protect you, our employees, visitors and our and your assets;
      3. the prevention of abuse of services and provision of adequate services to ensure the safety of information and our digital services based on the performance of an agreement or in order to process your application prior to entering into an agreement or compliance with a legal obligation or your consent or our legitimate interests to have control over authorizations, access to and functioning of our digital services; to improve technical systems and IT-infrastructure based on our legitimate interests to improve technical systems and IT-infrastructure;
      4. the ensuring compliance with applicable laws and regulation to which we are subject, including laws and regulation related to tax, prevention of money laundering and funding of terrorism, reporting to competent authorities, and compliance with orders from any court or competent authority;
      5. the execution of transaction through the payment system to execute international transactions or/and domestic payments via credit institutions or/and domestic, European and international payment systems and to comply with rules and obligations of European and international standards and certification schemes based on the performance of an agreement or in order to process your application prior to entering into an agreement or compliance with a legal obligation;
      6. the promotion and marketing of our products and services: offering to you our additional services, including personalized offers, based on your consent or our legitimate interest to offer additional services. The performance of market analyses based on our legitimate interest to improve our services and to develop new products or your consent;
      7. risk assessment and analysis to carry out risk assessments in order to determine which services and on what terms can be offered to you, to comply with applicable law relating to risk assessments, capital requirements, internal calculations and analyses based on the performance of an agreement or in order to process your application prior to entering into an agreement or compliance with a legal obligation or our legitimate interests to a sound risk management.
   2. Providing your Personal data to us is optional. However, if you choose not to provide certain Personal data to us, we may not be able to deliver products or services to you.

6. 6. Profiling and automated decision making

   1. Profiling is used to make analysis for advice, for automated decision-making about conclusion of the agreement and/ or continuation of the agreement, for risk management, for transaction monitoring to counter fraud and is based on our legitimate interest, compliance with a legal obligation, performance of an agreement or consent from you.
   2. Unless direct marketing has been restricted by you, we may process Personal data for the purpose of providing general and personalized offers of our services. Such marketing may be based on services you use and on how you navigate in digital our channels.
   3. For personal offering and marketing based profiling, we ensure that you can make choices and use a convenient tool to manage your privacy settings.

7. 7. Processing of personal data

   1. Personal data will be processed by our employees and officers.
   2. Personal data may also be transferred to authorised Processors who act for or on our behalf, for further processing in accordance with the purpose(s) for which Personal data were originally collected. These Processors have contracted with us to only use your Personal data for the agreed upon purpose, and not to sell your personal information to third parties, and not to disclose it to third parties except as may be required by law, as permitted by us or as stated in this Policy.

8. 8. Recipients of personal data

   1. Personal data may be shared with other Recipients, such as:
      1. authorities (for example, supervision authorities and financial intelligence units, law enforcement authorities, bailiffs, notary offices, tax authorities);
      2. credit and financial institutions, intermediaries of financial services, third parties involved in execution of the transaction, settlement and reporting cycle;
      3. participants and/or parties related to domestic, European and international payment systems, such as SWIFT;
      4. third parties that supervise and audit our operations;
      5. third parties maintaining registers (for example, credit registers, population registers, commercial registers);
      6. other persons who provide services to us, such as postal services.

9. 9. Retention period

   1. Your personal data will not be stored for a time period exceeding the necessary term to the purpose of their collection, according to applicable law.

10. 10. Transfer of personal data to countries outside the european union

    1. Personal data may be transferred outside the European Union in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539).

11. 11. Your rights as a data subject

    1. You are entitled to
       1. receive information if your Personal data is being processed by us and if so then to access it;
       2. receive Personal data provided by you and processed by us based on consent or in order to perform an agreement in written or commonly used electronical format and were feasible transmit such data to another service provider;
       3. require the correction your Personal data where appropriate (if it is inadequate, incomplete or incorrect).
       4. withdraw your consent for Processing of your Personal data;
       5. require the erasure of your Personal data. Such right does not apply if Processing of Personal data also based on legal grounds such as agreement or obligations based on applicable law.
       6. object to Processing of your Personal data, if the use of Personal Data is based on a legitimate interests, for example, for direct marketing;
       7. restrict the Processing of your Personal data under applicable law;
       8. not to be subject to fully automated decision-making, including profiling, if such decision-making has legal effects or similarly significantly affects you. This right does not apply if the decision-making is necessary in order to enter into or to perform an agreement with you, if the decision-making is permitted under applicable law or if you have provided an explicit consent.
    2. If you wish to exercise any of your rights as a data subject or if you have any questions, please contact us by sending an e-mail to customerservice@papaya.eu, by visiting us or writing to us at Papaya Ltd., 31, Sliema Road, Gzira, GZR 1637, Malta.
    3. If you have any concerns about your personal data processing by us you have a right to make a complaint to the Information and Data Protection Commissioner of Malta (https://idpc.org.mt).

12. 12. Use of cookies and web beacons

    1. We may use Cookies. “Cookies” are small text files sent by a Website or mobile application (if you use it) so that the Website or mobile application can recall who you are; they serve as a memory, therefore, enabling a Website or mobile application to remember users who have already visited the site. Such cookies are stored on your access device.
    2. More detailed information about cookies and similar tracking technologies is given in our Cookie Policy (posted on the Website or mobile application).

13. 13. Links to other websites

    1. Our Website or mobile application may contain links to websites operated by third parties. When connecting to such other websites you will no longer be subject to this Policy but to the privacy and data protection policy of the other website. We are not responsible for the privacy and data protection practices of these other websites and we encourage you to read the privacy and data protection statements of each website you visit, which may collect personal information.

14. 14. Changes to this policy

    1. This Policy is available to you in the premises of our main office, on the Website, in mobile application (if you use it). We may change this Policy at any time by notifying you of any amendments in the premises of our main office, on the Website, in mobile application (if you use it) not later than one month prior to the amendments entering into force.