PRIVACY DISCLAIMER

 

1. TERMS AND DEFINITIONS

1.1. Disclaimer – this Company Privacy Disclaimer.

1.2. Data subject (also "you") - natural person whose data is processed by the Company.

1.3. EU/EEA – European Union and/or European Economic Area.

1.4. Application software (also "Application" or "Application") - the Company's application software ZalaPay POS, maasa.pos and ZalaPay Kase used by the Data Subject.

1.5. Website – Company website www.zalapay.com.

1.6. Company (also "we") - SIA maasa, registration number: 40203263318, legal address: Skanstes iela 52, Riga.

1.7. GDPR – General Data Protection Regulation.

1.8. For other terms used in this Disclaimer, which are defined in Article 4 of the GDPR - e.g. "personal data", "processing", "controller", "processor", "recipient", "profiling", etc. – has the same meaning as defined in the said article.

 

2. PURPOSE AND SCOPE OF DISCLAIMER

The purpose of this Disclaimer is to inform the Data Subject about the processing of personal data by the Company. The disclaimer is applicable in all cases when the Company processes the personal data of the Data Subject (e.g., when the Data Subject uses the Application, visits the Website, communicates with the Company, etc.).

 

3. INFORMATION ABOUT THE CONTROLLER

The company is considered the controller of personal data, which means that it determines the purposes of personal data processing (ie "why" personal data is processed) and means (ie "how" personal data is processed. Company contact information: (a) e- mail address: info@zalapay.com (b) telephone number: +371 25676060.

 

 

4. SOURCES OF PERSONAL DATA

If it is legally justified in each individual case, the Company can receive personal data about the Data Subject in two ways:

4.1. receiving them directly from the Data Subject, mainly when he/she:

(a) uses the Application or visits the Website;

(b) communicates with the Company (e.g. by telephone, by means of the Application, e-mail, regular mail, social networks and other means of communication);

(c) provides personal data to the Company in another way.

4.2. from third-party sources (e.g., state institutions, business register databases, etc.).

 

5. CATEGORIES OF PERSONAL DATA TO BE PROCESSED

The company mainly processes the following categories of data:

(a) Basic data (e.g. name, surname, personal identification number, date of birth, age, e-mail address, position held in a particular company);

(b) Contact information (eg, email address, telephone number, declared residential address);

(c) Device-related data (eg, device identifier, device model, operating system version, location while using the app, purchase data);

(d) Location;

(e) Network data (source IP address);

(f) Communication data (by telephone (NB! All telephone conversations with the Company are recorded) or in writing);

(g) Other personal data provided by the data subject to the Company or obtained by the Company.

 

6. PURPOSES OF PERSONAL DATA PROCESSING

6.1. The company processes personal data mainly for the following purposes:

(a) Ensuring the functionality of the App or Website;

(b) Communication with the Data subject in connection with the use of the Application, Website or service provided by the Company;

(c) Provision of the requested service;

(d) Creation and use of a user account;

(e) User account administration;

(f) Providing a response to the Data Subject's submission, complaint, request or question;

(g) Clarification of the opinion of the data subject;

(h) Implementation and protection of the rights and interests of the Company;

(i) Market research and trend identification;

(j) Prevention of illegal activities (e.g. fraud prevention, property protection, etc.);

(k) Improving the Company's Application, Website and processes related to their use;

(l) For direct marketing purposes, such as: (1) sending commercial communications (e.g., depending on the Data Subject's choice, sending current information about services, special offers, etc. to the Data Subject's e-mail and/or phone number, making calls, communicating with the Data Subject through social networks as well as other communication channels); (2) organization of customer loyalty events (including organization of lotteries); (3) use of targeting strategies, cookies and similar technologies; (4) evaluation and research of customer groups; (5) addressing potential customers and/or offering services using other information/communication channels (including, but not limited to, social networks, mail, internet, search sites, blogs, comparison sites, etc.);

(m) User database creation and other administrative purposes;

(n) Fulfillment of obligations set forth in normative legal acts;

(o) Providing answers to requests from competent public authorities;

(p) Claim, maintenance, enforcement;

(q) Research, analytics and statistics;

(r) improving the quality/efficiency of the provision of the Company's service;

(s) Troubleshoot problems and disruptions to the Service;

(t) Customer satisfaction assessment;

(u) Handling complaints from data subjects; Creating a register of complaints;

(v) Ensuring security (including information and cyber security), property protection and prevention and detection of criminal offences;

(w) Call content quality control, service quality control; Preservation of evidence (about the correctness of the information provided; competence of the employee, etc.).

 

6.2. The company is entitled to process personal data also for other purposes, which are not mentioned in the previous paragraph, if there is a relevant legal basis.

 

7. LEGAL BASIS OF PROCESSING

7.1. The legal basis on which we will process your Personal Data depends on the type of Personal Data being processed and for what purposes.

7.2. In particular, we will process your personal data based on the following legal bases: (a) your consent (where necessary, e.g. to send you commercial communications); (b) contract (e.g. for the provision of the Company's service); (c) compliance with our legal obligation (e.g. to ensure the security of processing); (d) the processing is necessary to protect the vital interests of the individual; (e) processing is necessary for our or a third party's legitimate interests (eg, filing and maintaining a claim, ensuring security, internal administrative purposes, etc.).

 

8. TRANSFER OF RECIPIENT CATEGORY AND PERSONAL DATA OUTSIDE EU/EEA

8.1. If it is legally justified in each individual case, personal data may be transferred to the following categories of recipients:

(a) Employees and officers of the Company;

(b) Company service providers (processors and other controllers), e.g. information storage service providers, information and communication technology (ICT) service providers, etc.

(c) State institutions, e.g. Consumer Rights Protection Center, State Revenue Service, State Data Inspectorate, State Police, etc.;

(d) Other recipients entitled to receive personal data.

8.2. We mainly process personal data within the EU/EEA. However, during the processing process (e.g. using a service for the Company), personal data may be transferred to a recipient outside the EU/EEA. In this case, the Company ensures that GDPR requirements for sending personal data outside the EU/EEA are met. The most detailed information on the transfer of personal data is available by contacting the Company using the contact information specified in this document.

 

9. DURATION OF STORAGE OF PERSONAL DATA

We will store personal data in accordance with our data retention policy. The retention period mainly depends on the category of personal data concerned and the purpose of the processing. With regard to some categories of personal data, storage periods are defined in the applicable legal acts (for example, in the field of taxation, in the field of consumer rights protection, in the field of combating money laundering, etc.). In other cases, when the storage period is not specified in the regulatory acts, the Company determines the storage period itself, taking into account the personal data processing principles established by GDPR. For example, a longer retention period may be required if the personal data is necessary for our legitimate interests, for example helping us respond to customer complaints, prevent crime, respond to requests from public authorities, etc. At the end of the storage period, personal data will be deleted or permanently anonymized.

 

10. RIGHTS OF THE DATA SUBJECT

10.1. The GDPR grants the Data Subject several rights in relation to his personal data, namely:

(a) The right to access your personal data;

(b) The right to correct personal data;

(c) The right to delete personal data;

(d) The right to request restriction of processing;

(e) Right to object to processing;

(f) Right to portability of personal data;

(g) The right to withdraw consent at any time if it is used as a legal basis for processing (NB: Withdrawal of consent does not affect the legality of processing based on consent given before withdrawal).

10.2. You should note that the above rights are not absolute. Namely, the GDPR and other applicable legal acts also determine limitations and exceptions to the said rights.

10.3. In order to exercise the aforementioned rights, the Data Subject must contact the Company in one of the following ways:

(a) By sending a handwritten application to the registered address of the Company; or

(b) By sending a submission signed with a secure electronic signature to the Company's e-mail address specified in this document.

 

10.4. If the Company has reasonable doubts about the identity of the natural person who submits a request for the exercise of the aforementioned rights, the Company may request that additional information necessary to confirm the identity of the Data Subject be provided.

 

11. RESOLUTION OF DISPUTES AND FILING OF COMPLAINTS

The Company hopes to resolve any dispute amicably and expects that the Data Subject will initially contact the Company if he/she believes that the processing does not comply with the GDPR and/or other regulatory enactments governing the protection of personal data. However, the Data subject has the right to submit a complaint to the State Data Inspectorate if he believes that the processing carried out by the Company is contrary to the GDPR and/or other regulatory enactments regulating the protection of personal data.

 

12. OBLIGATION TO PROVIDE PERSONAL DATA

Whether the Data Subject has the right or obligation to provide personal data depends primarily on the purpose of the processing. For example, you can freely choose whether to use the Company's App or Website, but in this case the provision of personal data will be mandatory in order to use the packages offered through the App and/or Website, otherwise the Company will not be able to provide this service. Signing up to receive news from the Company is always voluntary and based on your consent, which you can change or withdraw at any time.

 

13. AUTOMATED DECISION MAKING AND PROFILING

The Company does not make automated decisions that create legal consequences for the Data Subject or significantly affect the Data Subject in a similar way. The Company may perform profiling for marketing purposes or with the intention of personalizing the offers presented to the Data Subject in the Application or Website.

 

14. PASSWORD AND ACCOUNT ACCESS

14.1. When creating a user account in the Application or Website, the Data Subject is obliged to create a secure password. The data subject is not entitled to disclose this password to any third party. The data subject is obliged to change the password if he/she suspects that it has been learned by a third party.

14.2. The said user account may only be used by the Data Subject himself for his own purposes.

 

15. CHANGES

The Company has the right to unilaterally make changes to this Disclaimer. Changes take effect on the day an updated Disclaimer is published on the App or Website. In case of significant changes, the Data Subject will be informed about them using the contact information available to the Company.

PRIVACY NOTICE

 

1. TERMS AND DEFINITIONS

1.1. Notice – this Company's Privacy notice.

1.2. Data subject (also “you”) – individual, whose personal data is processed by the Company.

1.3. EU/EEA – European Union and European Economic Area.

1.4. Application software (also “Application” or “App”) – Company's application ZalaPay POS, maasa.pos and ZalaPay Kase used by the Data subject.

1.5. Website – Company's website www.zalapay.com.

1.6. Company (also “we”) – SIA maasa, registration No. 40203263318, legal address: Skanstes iela 52, Riga.

1.7. GDPR – General Data Protection Regulation.

1.8. Other terms defined by the GDPR Article 4 - "personal data", "processing", "restriction of processing", "controller", "processor", "recipient", "profiling" - are used in this Notice with the same meaning.

 

2. PURPOSE OF THE NOTICE AND SCOPE OF APPLICATION

The purpose of this Notice is to inform the Data subject about the processing of personal data by the Company. The Notice applies in all cases when the Company processes the personal data of the Data subject (eg, when the Data subject uses the Application, visits the Website, contacts the Company, etc.).

 

3. INFORMATION ABOUT THE CONTROLLER

Company is considered to be the controller of personal data, which means that it determines the purposes of the processing of personal data (ie, "why" personal data are processed) and the means (ie, "how" personal data are processed. Contact details of the company: (a) e-mail address: info@zalapay.com; (b) telephone number: +371 25676060.

 

4. PERSONAL DATA SOURCES

If it is legally justified in each individual case, the Company may receive personal data about the Data subject in two ways:

4.1. receiving directly from the Data subject, mainly when he/she:

(a) uses the App or visits the Website;

(b) communicates with the Company (eg, by phone, through the App, email, ordinary mail, social networks and other forms of communication);

(c) otherwise provides personal data to the Company.

4.2. receiving from third sources (eg, public authorities, business register database, etc.).

 

5. CATEGORIES OF PROCESSED PERSONAL DATA

Company mainly processes the following data categories:

(a) Basic data (eg, name, surname, personal code, date of birth, age, address);

(b) Contact details (eg, phone number, e-mail address, residence address);

(c) Data associated with the device (eg, device identifier, device model, operating system version, location when using apps);

(d) Location;

(e) Network data (source IP address);

(f) Communication data (by telephone (NB! All telephone conversations with the Company are recorded) or in writing);

(g) Other personal data provided by the data subject to the Company or obtained by the Company.

 

6. PURPOSES OF PERSONAL DATA PROCESSING

6.1. The Company processes personal data primarily for the following purposes:

(a) Ensuring functionality of the App or Website;

(b) Communication with the Data subject in connection with the use of the App, Website or services provided by the Company;

(c) Provision of the requested services;

(d) Creation and use of the user account;

(e) User account administration;

(f) Responding to the Data subject's application, complaint, request or question;

(g) Seeking Data subject's opinion;

(h) Exercise and protection of Company's rights and interests;

(i) Market research and trend identification;

(j) Prevention of illegal activities (eg, fraud prevention, property protection, etc.);

(k) Improvement of the Company's Application, Website and processes related to their use;

(l) direct marketing purposes, such as: (1) sending commercial communications (eg, depending on the Data subject's choice, sending up-to-date information about services, special offers, etc. to the Data subject's e-mail and/ or phone number, making calls, communicating with the Data subject through social networks as well as other communication channels); (2) organization of customer loyalty events (including organization of lotteries); (3) the use of targeting strategies, cookies and similar technologies; (4) evaluation and research of customer groups; (5) reaching potential customers and/or offering services through other information/communication channels (including, but not limited to, social networks, mail, internet, search sites, blogs, comparison sites and other channels);

(m) Creation of a user database and other administrative purposes;

(n) Fulfillment of obligations laid down in regulatory enactments;

(o) Responding to requests from competent national authorities;

(p) Bringing, maintaining, enforcing a legal action;

(q) Research, analytics and statistics;

(r) Improving the quality/efficiency of the Company's service provision;

(s) To troubleshoot service problems and disruptions;

(t) Customer satisfaction assessment;

(u) Handling of complaints of Data subjects; Creation of a register of complaints;

(v) Ensuring security (including information and cybersecurity), preventing and detecting property protection and criminal offenses;

(w) Quality control of the content of calls, quality control of servicing; Preservation of evidence (on the accuracy of the information provided; competence of the staff member, etc.).

 

6.2. The Company is entitled to process personal data also for purposes other than those mentioned in the previous paragraph, if there is a relevant legal basis.

 

7. LEGAL BASIS OF PROCESSING

7.1. The legal basis on which we process your personal data depends on the type of personal data processed and for what purposes processing takes place.

7.2. We mainly process personal data based on the following legal grounds: (a) your consent (where necessary, eg when sending you commercial communications); (b) conclusion and enforcement agreement (eg, on provision of Company's services); (c) compliance with our legal obligation (eg ensuring the security of processing); (d) the processing is necessary for the protection of the vital interests of the person; (e) the processing is necessary for our legitimate interests or those of a third party (eg bringing and maintaining a legal claim, ensuring security, internal administrative purposes, etc.).

 

8. CATEGORIES OF RECIPIENTS AND PERSONAL DATA TRANSFER OUTSIDE EU/EEA

8.1. Where legally justified in each individual case, personal data may be transferred to the following categories of recipients:

(a) Employees and officials of the Company;

(b) Company service providers (processors and other controllers), eg, information storage service providers, information and communication technology (ICT) service providers, etc.;

(c) State institutions, eg, Consumer Rights Protection Centre, State Revenue Service, Data State Inspectorate, State Police, etc.;

(d) Other recipients entitled to receive personal data.

8.2. We mainly process personal data in the EU/EEA territory. However, during the processing process (eg, when the Company uses some service), personal data may be transferred to a recipient outside the EU/EEA. In this case, the Company ensures that the GDPR requirements for the transfer of personal data outside the EU/EEA are complied with. More detailed information on the transfer of personal data is available by contacting the Company using the contact information provided in this document.

 

9. PERSONAL DATA STORAGE TERM

We will store personal data in accordance with our data retention policy. The retention period depends mainly on the category of personal data concerned and the purpose of the processing. For certain categories of personal data, retention periods are laid down in the applicable laws (eg in the field of taxation, consumer protection, anti-money laundering, etc.). In other cases, when the retention period is not specified in the applicable laws, the Company determines the retention period itself, taking into account the principles of personal data processing laid down in the GDPR. For example, a longer retention period may be set if personal data is necessary for the purposes of the legitimate interests, eg by helping us respond to customer complaints, preventing criminal offenses, responding to requests from public authorities, etc. At the end of the retention period, personal data will be deleted or permanently anonymised.

 

10. DATA SUBJECT RIGHTS

10.1. The GDPR grants data subjects a number of rights in relation to their personal data, namely:

(a) Right of access to personal data;

(b) Right to correct personal data;

(c) Right to delete personal data;

(d) Right to request restriction of processing;

(e) Right to object to processing;

(f) Right to portability of a personal data;

(g) Right to withdraw consent at any time if it is used as a legal basis for processing (NB! Withdrawal of consent shall not affect the lawfulness of processing based on prior consent).

 

10.2. You should note that the above rights are not absolute. In particular, the GDPR and other applicable laws also provide for limitations and exceptions to those rights.

10.3. In order to exercise the above-mentioned rights, the Data subject must contact the Company in one of the following ways:

(a) By sending a handwritten application to the Company's legal address; or

(b) By sending an application signed with a secure electronic signature to the Company's e-mail, which is indicated in this document.

10.4. If the Company has reasonable doubts about the identity of the natural person who submits a request for the exercise of the above-mentioned rights, the Company may request that additional information necessary for the confirmation of the identity of the Data Subject be provided.

 

11. DISPUTE RESOLUTION AND SUBMISSION OF CLAIMS

The Company hopes to resolve any dispute in a friendly manner and expects the Data subject to initially address the Company if he/she considers that the processing does not comply with the GDPR and/or other laws and regulations governing the protection of personal data. However, the Data subject is entitled to submit a complaint to the Data State Inspectorate if he/she considers that the processing carried out by the Company is in contradiction with the GDPR and/or other laws and regulations governing the protection of personal data.

 

12. OBLIGATION TO PROVIDE PERSONAL DATA

Whether the Data subject has the right or obligation to provide personal data depends primarily on the purpose of the processing. For example, you are free to choose whether to use the Company's Application or Website, but in this case the provision of personal data will be mandatory in order to use the services offered through the Application and/or the Website, otherwise the Company will not be able to provide these services. Signing up for newsletters from the Company is always voluntary and based on your consent, which you can always change or withdraw.

 

13. AUTOMATED DECISION MAKING AND PROFILING

The Company does not take automated decisions that have legal consequences in relation to the data subject or similarly have a significant impact on the Data subject. The Company may perform profiling for marketing purposes or for the purpose of personalizing offers reflected in the Application or Website to the data subject.

 

14. PASSWORD AND ACCESS TO USER ACCOUNT

14.1. When creating a user account in the Application or Website, the Data subject is obliged to create a secure password. The data subject is not entitled to disclose this password to any third party. The Data subject is obliged to change the password if he/she suspects that it has been found out by a third party.

14.2. The above-mentioned user account may only be used by the Data subject himself or herself for his or her own needs.

 

15. AMENDMENT

The Company is entitled to unilaterally make changes to this Notice. The changes take effect on the day when the updated Notice is published on the App or Website. In case of significant changes, the Data subject will be informed about them using the contact information available to the Company.