Privacy Notice to Our Customers
Sikirapay (SP) hereby certifies and adopts the policies and procedures contained in this document.
SP acts as program manager for the product and is responsible for the day to day operation and distribution of the program as agreed to by the Issuer. As such, SP is the independent Data Controller for any personal data which you provide which is not related to issuance of account or card.
The Electronic Money Issuer of the SP programme is UAB Pyrros Lithuania, (Co.#304600426) established and operating under Lithuanian Law. Registered address at Gostauto g. 8-112, Vilniaus, LT-01108. Pyrros under their status of an Authorised E-Money Institution, is the independent Data Controller for the personal data which you provide to us.
- Who we are
This notice sets out how we process collect, use, store, share and protect the personal data of individuals who are customers, potential customers, users of our website and mobile application, or recipients of payments by our customers (“merchants”).
Personal data collected by UAB Pyrros group is used for the following purposes:
- Account opening;
- Client identification;
- Client risk assessment mandatory under the applicable laws;
- Clients activities monitoring and risk reviews
- To provide clients with support, letting them know about upcoming changes or improvements of Website and/or Mobile APP;
- Provide clients with information regarding changes of any terms or conditions applicable to them or Services they use as well as other important information.
- Developing the Website and Mobile App. We use Personal data to conduct research and development of our Website, Mobile App and Services in order to provide you and others with a better, more intuitive and personalized experience, drive membership growth.
- Contact us
Please direct all questions and requests you have about privacy and data protection to our privacy department below.
Pyrros can be contacted by: email – email@example.com
Data Protection Officer
If you are unhappy with the responses of our privacy department you may contact our Data Protection Officer by email – firstname.lastname@example.org
4. Why we process your personal data
We are a provider of payment services and for this reason, according to laws, we have an obligation to collect personal data and information during the registration, identity verification and the use of our services.
The types of processing we do are:
- Processing to enable the issuing, transfer and redemption of electronic money (“e-money”), i.e. the buying, the use and the cashing out of e-money on your prepaid cards.
- Processing to facilitate a payment transaction, i.e. using the e-money on your prepaid card to buy goods or services.
- Processing to facilitate access to and the services offered on our website.
- Transfer of personal data into and out of the European Economic Area (“EEA”).
- Transfer of personal data to and from third parties who perform the processing listed above on our behalf.
- Cloud storage/servers providers.
- Card issuing institutions. For the purpose of providing you with a card in order to use our Services.
- Identification and verification services providers – in order to verify your identity.
- Auditors, accountants and lawyers: In order to complete financial, technical and legal audits, we may need to share information about you as part of such audit.
- Other service providers with which we have concluded service provision agreements or when such sharing is mandatory according to applicable law. We only use the services of those data processors which ensure safeguards and use technical and organizational security measures equivalent to the ones required by EU General Data Protection Regulation.
- As a regulated financial institution, we may need to share your Personal Data to state and public authorities. We will only do so when we are legally required to provide information or when we need to take legal action to defend our rights, as well as the cases, where we have a belief in good faith that access, use, preservation or disclosure of the information is reasonably necessary to meet any applicable law, regulation, legal process or enforceable governmental request, enforce applicable Terms of Services, including investigation of potential violations, detect, prevent or otherwise address fraud, security or technical issues.
- We may partner with other financial institutions, such as banking, credit and financial services partners, including banking partners, banking intermediaries, credit companies and international payments services providers. With their help we are able to provide you Services and in order to meet legal and regulatory requirements we might be obligated to share your account details with such partners to the extent you actually transact or interact with customers of such partners.
Our services are:
- The issuing of electronic money.
- Payment services.
- The provision of our website for both customers and visitors.
In order to provide our services to you under a contract between us (or for us to take steps at your request with a view to entering into a contract) we must process your personal data, which is a lawful basis under which to process your personal data Article 6(1)(b) of General Data Protection Regulation (“GDPR”)]).
We will collect personal data from you and third parties, and also create personal data.
4.2 Direct marketing and consent
We may process your personal data for the purposes of marketing our services to you. In order to process your personal data for marketing purposes we will obtain your consent to do so in advance, which is a lawful basis under which to process your personal data Article 6(1)(a) GDPR]).
If you have not consented to our marketing, you may do so at any time by clicking here [insert link to opt in for marketing].
If you have consented to our marketing, you have the right to withdraw your consent by clicking here [insert link to opt out of marketing].
We will not process your personal data for the purposes of marketing the services of third parties.
4.3 Categories of personal data and information
The categories of personal data about you we will process are:
- Residential address
- Correspondence address
- Date of birth
- Personal number
- Identity card validity date
- ID document number (national identification card/ Passport Number/ Itinerary document)
- Source of Funds,
- Copy of identification document (ID / Passport / Itinerary document)
- Mobile number
- Landline number
- Employment status
- Business address
- Employer name and contact details
- Political views
- Criminal record check
- History of transactions (date, information of payer and payee, amount of transaction)
- Messaging history, including, but not limited to, claims and complaints made by you is processed due to the performance of obligations regarding provision of Services.
- Your behavior while using your services (your clicks, visited sections)
- Your payment card information: date of issue and expiry date;
- Sharing your data
We will not share your personal data with third parties outside the Pyrros Group except for the purposes of issuing e-money, making payment transactions and the provision of our website.
We will share data due to our legal obligation under the terms of your contract or Cardholder Terms and Conditions for the purposes of issuing e-money, making payment transactions and the provision of our website.
We will process your personal data on our behalf to enable us to process for reasons sets out in clause 4.
- Storage of your data
We will not store your personal data any longer than we need to store it. As a regulated financial institution is obligated under the applicable laws regarding prevention of money laundering and terrorist financing as well as of Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania to retain this information:
- Client identification data and verification data – eight years after termination of the contract relations;
- History of transactions – five years after terminations of the contract relations.
We will, retain the personal information so that:
- We can allow you to redeem any e-money that you have not spent on your prepaid card.
- We can provide you with the necessary information regarding payment transactions if you wish to make a legal claim against us regarding our services.
- Your data rights
You have the following data rights:
- The right of access.
- The right to rectification (correction).
- The right to erasure (i.e. the right to be forgotten).
- The right to restriction of processing.
- The right to data portability.
- The right to object
In order to process your request to exercise your data rights we will require you provide us with such information or documents we request in order to verify your identify before we can process your access request. Your request will be deemed to be received on the date we verify your identity.
We will respond to requests within one month of our receipt of your request. If your requests are complex or numerous, we will inform you within the initial one-month response period that we will require a further two months in which to respond, i.e. we will respond within three months of our receipt of your request.
You may request to exercise your data rights by email, or by post. Where you make a request electronically we will respond electronically by email or by granting you remote access to a secure self-service system, which would provide you with direct access to your information.
7.1 Right of access
You may request the following information:
- confirmation that your personal data is being processed;
- a copy of the personal data held about you excluding any personal data that is prohibited from providing such as data that would adversely affect the rights or freedoms of others; and
- a copy of this privacy notice.
The information will be provided free of charge except where:
- the request is manifestly unfounded or excessive, particularly if it is repetitive;
- the request is for further copies of the same information.
In these cases we will charge a fee of €10 which will cover our administrative cost for providing you with the information.
Please note that if we find your access request to be manifestly unfounded or excessive, we may refuse to provide the requested information. In this case we will inform you why we are not providing you with the information set out above, that you have the right to complain to our supervisory authority for data protection purposes, the State Date Protection Inspectorate, and that you have a right to file a case with the courts.
7.2 Right to rectification (correction)
You have the right to have any personal data corrected if it is inaccurate or incomplete. We will require you to provide documents or information to demonstrate that the personal data is inaccurate or incomplete.
If we have disclosed such personal data to third parties, we will contact each third party and inform them of the correction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
If we refuse to comply with your request, we will inform you why we are not making the corrections, that you have the right to complain to the State Date Protection Inspectorate and that you have a right to file a case with the courts.
7.3 Right to erasure
The right to erasure only applies when:
- the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- you withdraw consent for the processing of personal data where consent is the sole legal basis of the processing;
- you object to the processing and there is no overriding legitimate interest for continuing the processing;
- the personal data is being unlawfully processed;
- the personal data has to be erased in order to comply with a legal obligation;
We may refuse to erase the personal data if the following conditions apply:
- the personal data is processed to comply with a legal obligation for the performance of a public interest task or exercise of official authority; or
- the personal data is processed for the exercise or defence of legal claims.
If we have disclosed personal data that is to be erased to third parties, we will contact each third party and inform them of the erasure unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
7.4 Right to restriction of processing
We will restrict the processing of personal data in the following circumstances:
- Where you contest the accuracy of the personal data, we will restrict the processing until we have verified the accuracy of the personal data.
- Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our legitimate grounds override your interest, rights and freedoms.
- When processing is unlawful, and you oppose erasure and request restriction instead.
- If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim.
If we have disclosed personal data that is to be subject to restriction to third parties, we will contact each third party and inform them of the restriction unless this proves impossible or involves disproportionate effort. If you expressly request us to do so, we will inform you about these third parties.
We will inform you if we decide to lift the restriction on processing.
7.5 Right to data portability
The right to data portability only applies:
- to personal data that you have provided to us;
- where the processing is based on your consent or for the performance of a contract; and
- when the processing is carried out by automated means.
We will provide you with this personal data in form of a .CSV file or another file format that is agreed upon in advance and presents the personal data in a structured, commonly used and machine-readable form.
We will provide this information free of charge. If you so request, we transmit the information directly to another information if this is technically feasible.
If we refuse to comply with your request, we will inform you why we are not providing the information, that you have the right to complain to the State Date Protection Inspectorate and that you have a right to file a case with the courts.
7.6 Right to object
You have the right to object to our processing of your personal data based on our legitimate interests on grounds relating to your particular situation except:
- where we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
- the processing is for the establishment, exercise or defence of legal claims.
You have the right to object to our processing of your personal data for direct marketing purposes.
We will comply with your objections unless an exception applies.
You have the right to lodge a complaint to the national Data Protection Agency (DPA) in the country of residence in the event where your rights may have been infringed. We would, however, appreciate the chance to deal with your concerns before you approach the DPA and find a solution at your satisfaction. So please contact us in the first instance.
- Source of personal data
We will collect personal data from:
- Programme Managers or Partners
- third party databases for the know your customer (“KYC”) purposes;
- Automated processing
- We will make decisions solely on the basis of automated process when deciding whether to enter into a contract with you to provide you with a prepaid card. This decision will be based on the information collected from the sources list in clause 9 and risk factors assigned to each piece of relevant information.
You may challenge our decision by contacting us and asking us to reconsider your application using a manual process involving an individual to make the decision.
UAB Pyrros Lithuania (“Pyrros”) (Co. #304600426) is established and operated under Lithuanian Law. UAB Pyrros Lithuania registered address at Goštauto g. 8-112, Vilniaus, LT-01108. UAB Pyrros Lithuania is an Electronic Money institution Licenced by the Bank of Lithuania under licence no.38.