Privacy Policy

Version 0.1

Effective date: 13.02.2024

The current Privacy Policy of "PayMan Group" Ltd aims to assist you in understanding what personal data we collect, why we collect it, and how we use it. Please take the time to carefully read this Privacy Policy. We want you to be aware of how we use your information and the ways in which you can exercise your rights.

This Privacy Policy applies to your personal data when you use our website - www.paymangroup.com (hereinafter referred to as the 'Website'), the PayMan application, your PayMan account, and/or the services/products offered by 'PayMan Group' Ltd. It does not apply to online websites, applications, and/or services/products that we do not own or control.

In this Privacy Policy, the following terms have the following definitions:

PAYMAN SYSTEM refers to the online system created, operated, and maintained by 'PayMan Group' Ltd for issuing electronic money, opening and managing payment accounts, conducting payment transactions, including executing credit transfers, accepting payments, and the associated collection and exchange of data, accessible through the web-based PayMan application. 'PayMan Group' Ltd holds full and exclusive intellectual property rights over the entire system.

THE APPLICATION refers to the web-based application through which you can access the services described in our Terms and Conditions and which, when accessed through your web browser, establishes the connection between the user of the payment service and the PayMan System. 'PayMan Group' Ltd owns all proprietary and non-proprietary rights to the Application."

FUNCTIONALITIES refer to all services provided through the Application, as described in our Terms and Conditions.

TERMS AND CONDITIONS refer to the general terms and conditions for using the Payman application, published on www.paymangroup.com, and these Terms and Conditions constitute a contract under the Bulgarian Payment Services and Payment Systems Act.

WHO ARE WE?

The company that provides you with services, acting as the Data Controller, is 'PayMan Group' Ltd, a limited liability company, established and existing under the laws of the Republic of Bulgaria, registered in the Commercial Register and Register of Non-Profit Legal Entities with the Registry Agency in the city of Sofia, Republic of Bulgaria, with Unified Identification Code (EIK) 206457036, having its registered office and management address at 102 Bulgaria Blvd., floor 3, office 26, Sofia 1680, Vitosha district, represented by Yordan Yordanov Stoyanov, in his capacity as the Managing Director.

PayMan Group Ltd. is an electronic money institution (EMI) holding a license to operate as an electronic money institution, issued by the Governing Council of the Bulgarian National Bank with Decision No. 247 dated July 7, 2022. It is registered in the register maintained by the Bulgarian National Bank, which can be found here. The Bulgarian National Bank supervises the activities of "PayMan Group" Ltd."

PayMan Group Ltd. also provides technical maintenance and operation of the Website and the Application, accessible at https://paymangroup.com.

You can reach us by sending a message to the following email address: dpo@payman.com, if you have any questions regarding how we collect, store, and use your personal information or if you wish to obtain a copy of the information we hold about you. You can also contact us at the following address: Sofia, 1680, Vitosha district, 102 Bulgaria Blvd., floor 3, office 26, where you will find our Compliance Officer at PayMan Group.

If you have any questions, you can contact us at the following address: MrPayMan@MrPayMan.com.

WHAT IS PERSONAL DATA AND WHY DO WE NEED IT?

Personal data refers to information that describes an individual and is associated with them. The definition of personal data is provided in Article 4, Paragraph 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as Regulation (EU) 2016/679."

In order to provide you with our services/products, we collect personal data about you from the first contact we have with you until the deactivation of your account and profile, and the closure of your opened PayMan account(s). We do not sell or otherwise distribute your personal data.

We may share the personal data and information provided by you, with our selected service providers only when it is essential for the provision of our services/products, as explicitly described below.

CATEGORIES OF DATA SUBJECTS

1. Individuals - Users/Clients willing to:

   • Register an account and profile on the Website, and respectively on the Application;

   • Utilize the Application;

   • Use the services/products offered by PayMan Group Ltd.

2. Legal representatives of legal entities - Clients willing to:

   • Register an account and profile on the Website, and respectively on the Application;

   • Utilize the Application;

   • Use the services/products offered by PayMan Group Ltd.

WHAT PERSONAL DATA DO WE COLLECT?

We process the following personal data provided by you:

1. Personal data provided during the registration of an account and profile on the Website, and respectively on the Application, the use of the Application, and the use of our services/products:

   • Your names, email address, address, mobile phone number, date of birth, nationality, and details of your payment card, and any other information you provide when creating an account and profile on the Website, respectively in the Application, using the Application, and/or when you want to use our services/products.

   • Your photo; copy of personal identification card (passport); photo (selfie) with personal identification card (passport);

   • Information and data about the transactions you make through the Application and the execution of your transaction requests;

   • Information and data about you received from third parties engaged by us for the prevention of fraud, money laundering, and terrorist financing;

   • Information and data about how you use and manage your account and profile, the services/products we support, and the payments you make;

   • Your contact list and phone numbers;

   • Information and data from our communication with you (via our contact form, by phone, email, our accounts on Facebook, Twitter, LinkedIn, and Instagram, or through third parties) when you contact us to report a problem or make an inquiry;

   • Your response to surveys we ask you to complete for research and marketing purposes.

2. Personal data obtained from the 'Careers' section of the Website - When you apply for one of our open positions and send us your CV, we will process your personal data provided in the CV, including but not limited to: your full name, phone number, email, photo, work experience, education, biography, interests, personal information from public profiles/websites if provided, and others.

3. Personal data obtained from the 'Newsletter' section on the Website - When you visit our Website, you may be asked if you would like to receive our newsletter containing content that we believe may align with your interests, including news, special offers, promotions, or to contact you regarding products or information that we think may interest you, including information about third-party products and services. You can unsubscribe from this service at any time. If you opt-out of receiving our newsletter, we may still send you messages regarding services you have requested or received from us. For the purpose of sending our newsletter, we will process your name and email address. Please note that we use your personal data for the purposes stated above only with your prior consent. We will process this data until you unsubscribe from our newsletter. Each newsletter you receive includes an unsubscribe button, allowing you to easily opt-out at any time. When we send our newsletter, we may also process usage data of our Website by you ('usage data'). Usage data may include your IP address, geographic location, type and version of the browser, operating system, referral source, duration of visit, page views, and website navigation paths, as well as information about the timing, frequency, and pattern of your service use.

FOR WHAT PURPOSES DO WE USE YOUR PERSONAL DATA AND INFORMATION?

We use your personal data and information to:

1. Register and maintain your profile in the Application.

2. We provide you with the payment services offered by 'PayMan Group' Ltd and contact you regarding the services we provide. For example, opening, launching, and administering your profile, your PayMan account (including the use of mobile phone numbers and email addresses to provide balance updates and transaction alerts).

3. Collect our fees and/or expenses related to the services and products described in our Terms and Conditions.

4. Respond to any inquiries or questions you may have about our services;

5. Conduct checks, verify your identity, and validate your address in accordance with legal requirements.

6. Prevent and/or detect fraud, money laundering, and/or terrorist financing, including tracking and documenting suspicious and/or fraudulent behavior and/or suspicions of false or inaccurate information.

7. Fulfill and comply with our legal obligations, including under the Bulgarian Measures Against Money Laundering Act and the Regulations for Application of the Measures Against Money Laundering Act.

8. Offer you our other services/products if you have given prior consent;

9. Analyze the usage of the Website.

10. Review your job application, communicate with you, and facilitate the interview process.

11. Enhance user understanding of our services through conducting research and market studies.

12. Conduct promotional games and lotteries to promote the application.

In addition to the specific purposes for which we may process your personal data as outlined above, we may also process your personal data when such processing is necessary to comply with a legal obligation that we have or to protect your vital interests or the vital interests of another natural person.

We will not use your personal data for purposes other than those described above. We will seek your consent before using the information for purposes other than those outlined in this Privacy Policy.

BASIS FOR COLLECTING AND PROCESSING YOUR PERSONAL DATA:

1. The legal basis for processing your data for your account and profile on the Website, respectively in the Application, is: the signed agreement between us, our legitimate interest in the proper administration of the Website and the Application, as well as our legal obligation to implement identification and high-level authentication mechanisms when providing payment services.

2. Your account data is unique and includes your email address, mobile phone number, and password, while your profile may include your name, email address, date of birth, nationality, address, photo, and phone number. You provide us with this information to register your account and profile and to use our services/products. Account and profile data may be processed to:

   • Access your account and profile through the Website, respectively through the Application;

   • Provide you with our services/products;

   • Have full access to the services we provide, your PayMan account, and PayMan card;

   • Monitor your actions and transactions.

3. The legal basis for processing your data provided in the process of using our services/products is: the agreement concluded between us and you (your acceptance of our General Terms and Conditions, which constitutes a contract under the Payment Services and Payment Systems Act) and our legal obligation - the proper administration of the application and monitoring for the purpose of preventing fraud, money laundering, terrorism financing, and ensuring security.

4. Data on the use of services may include, but is not limited to: access logs to our Website and Application, as well as a history of the services/products provided and used. The source of data on the use of services/products is the Website, respectively the Application, where you maintain a registered account and profile. Data on the use of services/products may be processed for the purposes of the Website's functioning, the Application, providing our services/products, ensuring the security of the Application and services/products, maintaining secure backups of our database, and communicating with you.

5. The legal basis for processing your personal documents uploaded to our website, respectively Application, through your registration is: our legal obligation as a obligated entity under Article 4 of the MAMLA (Measures Against Money Laundering Act) to confirm your identity for reasons related to combating money laundering and terrorism financing before providing you with payment services, a PayMan account, and a PayMan card. Data in the form of attached files can be processed for the purposes of identifying and verifying your identity, allowing you to use our Application and our services/products.

6. The legal basis for processing information contained in any inquiries you send us regarding our services is: the contract signed between us and our interest in providing you with information and improving our communication channels with you.

7. The legal basis for processing information related to transactions and the services/products provided through the Website, PayMan Application, and PayMan account is: fulfilling our legal obligations and executing contracts concluded between us and you. These data may include bank account information, card details, and transaction history details. This information may be processed for the purpose of providing services and maintaining accurate records of these transactions in our system.

8. The legal basis for processing the information you provide as subscribers to our newsletters (or email notifications) is: Your consent OR the performance of a contract between you and us and/or taking steps at your request to enter into such a contract for using the services/products offered by PayMan Group Ltd. Data for notifications may be processed for the purpose of sending the respective notifications and/or newsletters.

9. The legal basis for processing the information contained in or relating to any communication you send us is: our legitimate interests in the proper administration of the Website and our contractual relationship. Correspondence data may include the content of the communication and metadata related to the communication. Our website generates metadata associated with communication through the contact form. Correspondence data may be processed for the purposes of communicating with you and maintaining archives of requested and provided information.

10. The legal basis for processing information from your contact list and phone numbers for the purposes of providing the services of the Application is: Your consent.

11. The legal basis for processing all personal data mentioned in this Privacy Policy, when necessary for establishing, exercising, and/or defending legal claims, whether in legal proceedings and/or in administrative and/or extrajudicial proceedings, is: our legitimate interest in protecting and asserting our legal rights, your legal rights, and the legal rights of third parties.

12. The legal basis for processing data from the 'Newsletter' section of the Website is: Your consent.

DATA COLLECTION

We process and use only personal data that is provided voluntarily and personally by you. This means that you are responsible for not providing data to third parties in violation of their data protection rights, as we do not have a practical means to control whether you provide us with data from third parties with their knowledge and consent, given in accordance with legal requirements. We do not monitor and/or control the content entered and/or uploaded by you.

DATA RETENTION

1. The retention period for your data, if you have contacted us through our contact forms, is 12 (twelve) months to facilitate communication and assist you with any queries.

2. The retention period for your data, if you have submitted your CV when applying for a job opening, is 6 (six) months. If you have provided your Consent, we will retain your data for a period of 12 (twelve) months.

3. If the legal basis for processing your personal data and personal information is Consent, you have the right to withdraw this consent at any time. The withdrawal will not affect the lawfulness of processing before the withdrawal, nor will it affect or restrict processing on another lawful basis or contract.

4. All personal data collected for the purposes outlined in this Privacy Policy and based on the specified legal grounds will be retained for a minimum period of 5 (five) years after the termination of our Service Agreement.

SECURITY MEASURES

We have implemented a wide range of technical and organizational measures to protect your personal data against loss or other forms of unlawful processing. However, please be aware that even the best security measures cannot completely eliminate all risks. Personal data is only accessible to those individuals who need access to perform their work in connection with providing our services. These individuals are trained and authorized accordingly. Our staff processes personal data in accordance with the requirements for legality, confidentiality, ethics, and appropriate data use. Staff is required to sign a confidentiality agreement and receive proper training on online privacy and security.

We strive to protect all information on the Application as necessary. You are responsible for maintaining the confidentiality of your personally identifiable data, keeping your access passwords to the Website and the Application confidential and secure. You should change your password immediately if you suspect that someone has gained unauthorized access to it or to your profile. If you lose control of your account, you must promptly notify the contact person indicated at the beginning of this Privacy Policy.

SUB-PROCESSORS AND PROCESSING OUTSIDE THE EU

To provide quality services, we may engage third-party service providers - Subprocessors, carefully selected according to their capacity to protect and process personal data in accordance with our obligations under the GDPR. We provide personal data to our sub-processors to process on our behalf, only based on our instructions and in accordance with our Privacy Policy and any other appropriate privacy and security measures. We do not sell or distribute your personal data in any other way.

We may transfer data collected from you to physical/legal entities ("Recipients") outside the EU and the European Economic Area ("EEA"). When we make such transfers to third countries, we do so in accordance with the terms of this Privacy Policy, EU data protection rules, especially GDPR. This may include (i) transferring data to Recipients located in countries, territories, or sectors within such countries, which are recognized as providing an adequate level of protection for the respective individuals; (ii) transfers under data transfer agreements that include standard contractual clauses approved by the Commission/Commissioner of the EU; or (iii) derogations for specific situations provided in EU data protection law, among others.

You confirm that you are informed and aware that there may be certain possible risks of transferring personal data to third countries outside the EU/EEA, including the USA, for example: the third country may not provide an adequate level of data protection under Article 45 of the GDPR.

We may disclose specific personal data required for the purposes of identifying and verifying your identity, performed by our authorized providers and/or subprocessors, when this is reasonably justified for specific purposes. In any case, you expressly agree, in view of the services provided by us, that we may provide your data to credit reporting agencies and/or agencies/companies/organizations for fraud prevention, anti-money laundering, terrorism financing prevention, and other organizations: to check all the personal information provided by you to confirm your identity. Agencies may record your information and the searches made (even if your acceptance as our client is unsuccessful or not completed).

Here is a list of our data subprocessors:

Name	Service	Country
Microsoft	Servers	EU
MailChimp	Mail services	USA
iDenfy	KYC	Lithuania
Notolytix	Transaction/Fraud Monitoring (AML)	Bulgaria
LexisNexis	Compliance checks in sanctions, PEP, and other types of blacklists	EU
Link mobility	Communication services	EU
iCard	vPOS service for top-up with a card	Bulgaria

We may replace our sub-processors from time to time. You agree that the list of current sub-processors may change. You agree that if we change the list of sub-processors, we may inform you of such updates through our newsletters. You agree that if we change the list of sub-processors, we will provide reasonable written notice to clients through our newsletter or by email.

You expressly agree and give your consent that you may be the subject of automated risk assessment; however, we assure you that final decisions are always made by an authorized employee of the company.

DATA THAT WE SHARE

We do not share information containing personal data with legal entities, organizations, or individuals unless one of the following circumstances applies:

1. With Your Consent - We will share information containing personal data with legal entities, organizations, and individuals when we have your consent to do so.

2. For the Provision of Certain Services -- With third parties processing personal data -- as described above.

3. Legal Requirements -- We will share information containing personal data with other legal entities, organizations, or individuals if we have a reasonable belief that access, use, preservation, or disclosure of the information is reasonably necessary and/or mandatory for:

   • the purposes of an applicable law, regulation, during legal proceedings, or a valid court decision

   • collection of due amounts

   • investigation of potential violations

   • detection, prevention, or otherwise addressing fraud, technical issues, or security issues

   • protection against harm to our rights, property, or safety, as required or permitted by law.

UNDER 18

We allow our Website, Application, and services/products to be used only by individuals over the age of 18. If we receive information that we have collected personal data from an individual under the age of 18, we will promptly delete it unless we are required to keep it by law. Please contact us if you believe that we have mistakenly or inadvertently collected information from an individual under the age of 18.

YOUR RIGHTS

1. You have the right to request a copy of your personal data at any time, verify the accuracy of the stored information, correct or update this information, and request the deletion of your personal information if grounds for such deletion exist, as described below. Additionally, you have the right to file a complaint when your rights regarding the protection of personal data have been violated. Below, we have provided a detailed description of your rights as data subjects:

2. You have the right to request confirmation of whether personal data related to you is being processed and to request a copy of your personal data, as well as information related to the collection, processing, and storage of your personal data;

3. You have the right to request the deletion of your personal data if one of the following grounds exists: personal data is no longer necessary for the purposes for which it was collected; you have objected to the processing; processing is unlawful; your consent has been withdrawn; personal data must be deleted to comply with a legal obligation under EU law or the law of a Member State applicable to the Controller. Your request to delete your personal data may be denied for the following reasons: exercising the right to freedom of expression and information; to comply with our legal obligation or perform a task carried out in the public interest or in the exercise of official authority; for reasons of public interest in the area of public health; for the establishment, exercise, or defense of legal claims

4. You have the right to request the correction of your personal data if it is inaccurate or incomplete.

5. You have the right to request the restriction of the processing of your personal data if applicable and if there is a reason for it, for example: you contest the accuracy of your personal data for a period that allows us to verify the accuracy of the personal data; processing is unlawful, but you do not want the personal data to be deleted, only the use to be restricted; we no longer need your personal data for processing purposes, but you require them for the establishment, exercise, or defense of legal claims; you have objected to the processing pending the verification whether our legitimate grounds override your interests.

6. You have the right to request to receive your personal data concerning you, which you have provided, in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another controller when processing is based on consent or a contractual obligation and processing is carried out by automated means.

7. You have the right to object to such processing of your personal data by contacting the Compliance officer if there are grounds for objection.

8. You may address all requests to the Compliance Officer, as indicated above. In order for us to provide you with full assistance, please provide accurate information about yourself and specify your request. It is possible that when exercising your rights, we may request additional information to verify your identity.

9. Please be aware that when your requests are evidently unfounded or excessive, particularly due to their repetitive nature, we may:

   • impose a fee, taking into account the administrative costs for providing the information or communication or taking the requested actions

   • refuse to take action on the request.

10. We will make reasonable efforts to honor your request within 30 days of receiving your request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests.

11. We may reject requests that are unreasonably repetitive, require disproportionate technical efforts (such as the development of a new system or a fundamental change to an existing practice), risk the privacy of others, or would be extremely impractical (for example, requests concerning information located in backup systems). When we can provide access to information and correction, we will do so free of charge unless it would require disproportionate efforts.

12. If you file a privacy-related complaint, we will collect your name and/or company name, the name of the person associated with the complaint, email address, and location in the country, as well as details that have led to your complaint. We will use the information provided by you to investigate your complaint and send you a response once your complaint has been reviewed.

PERSONAL DATA PROTECTION AGENCY

If you believe that we have violated your rights regarding your personal data, you have the right to lodge a complaint with the supervisory authority in Bulgaria, the Commission for Personal Data Protection (CPDP), with the following contact details: Sofia 1592, Prof. Tsvetan Lazarov Blvd. No. 2; kzld@cpdp.bg. More information can be found at: www.cpdp.bg.

You may also file your complaint in the country where you live, work, or where you believe we are infringing on your rights.