Privacy Policy

Privacy Policy of Plugpay Sp. z o. o.

The administrator of personal data is Plugpay Sp. z o. o. based in Katowice, at ul. Porcelanowa 23 Street, 40-246 Katowice, Poland, entered into the Register of Entrepreneurs of the National Court Register under the number 0000989525, NIP 9542844526, REGON 522943996, EIPA PL-T4K, hereinafter referred to as

“Data Controller”.

The Data Administrator ensures a high standard of privacy protection for users, interested persons and persons visiting the website or mobile application.

This Privacy Policy, hereinafter referred to as the “Policy”, sets out the rules for collecting, processing and using personal data of users, interested parties and visitors to the website.

The policy is aimed primarily at informing users, website visitors and interested persons about their rights in connection with the processing of their data by the Data Administrator.

As part of our business, we undertake to comply with this Policy, as well as with the requirements of applicable law, including: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: “GDPR” ) and the Polish Personal Data Protection Act of March 1, 2018.

I Definitions

Whenever this document refers to:

  1. Processing – this should be understood as operations performed on personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise making available, matching or combining, restricting, deleting or destroying.
  2. Administrator – this should be understood as a natural or legal person, public authority, unit or other entity that, alone or jointly with others, determines the purposes and methods of processing personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  3. Personal data – information about an identified or identifiable natural person (“data subject”). These include user data, data of interested parties.
  4. Processor – means a natural or legal person, public authority, unit or other entity that processes personal data on behalf of the controller.
  5. Profiling – means any form of automated processing of personal data, which consists in using personal data to evaluate certain personal factors of a natural person, in particular to analyze or predict aspects regarding the effects of work of that natural person, his or her economic situation, health, personal preferences, interests, reliability , behavior, location or movement.
  6. Pseudo-anonymization – means the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to prevent their attribution to an identified or an identifiable natural person.
  7. User – persons/company entities that have registered on the website or in the mobile application and have successfully passed the verification process or persons/company entities that are in the process of verification.
  8. Website visitor – a person viewing the content of the website or mobile application.
  9. Interested person – a person who submitted an inquiry/notification via the website, or using the contact details provided on the website or from the mobile application.

II Categories of processed data

The Data Administrator collects and processes the following categories of personal data, including, but not limited to:

  1. User data – e-mail address, login, names, surnames, security code, history of correct/negative logins, telephone number, image (linking the service with a third-party tool, including Facebook, Google or Apple), order details (amount spent , date, time), data for combating fraud and required by anti-money laundering regulations, payment data (including payment verification); data resulting from messages received from you regarding the Services (such as chat logs or reports to the support department) and feedback provided by you regarding your experiences in cooperation with the Data Administrator; in the case of corporate users, additionally: form of business, name of the company/company, NIP, KRS or commercial register number, REGON, country of business, date of establishment, company website, information about management board members, information about real beneficiaries, information about partners/ shareholders (including number of shares, share structure).
  2. Data of visitors – computer IP, opened subpages, time of visit, number of individual views, number of visits, source of visit, however, they are only used for statistical purposes and improving the content of the website – using the Google Analytics tool, as well as when the user uses devices portable – identification data of the device, Internet service operator and subscriber, however, the data collected in this way will be used only for statistical purposes or to ensure the correct use of the Website.
  3. Data of interested persons – e-mail address, title, category, subject, message content, image (face photo with ID document) – in necessary cases to verify identity.

III Legal basis for data processing and purposes of data processing

The legal basis for the processing of personal data is:

  1. Consent – your voluntary consent to the processing of data (Article 6(1)(a) of the GDPR) regarding the request submitted via the contact form available on the website or using the contact details indicated on the website.
  2. Contractual requirements – i.e. data processing is necessary to provide and browse the website, register and use an account on the website (Article 6(1)(b) of the GDPR);
    fulfillment of a legal obligation – i.e. data processing is necessary to fulfill the legal obligation imposed on the Data Administrator (including tax obligations and obligations arising from Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending the directive ( EU) 2015/849 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing and amending Directives 2009/138/EC and 2013/36/EU, Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015. on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (Text with relevance for the EEA), hereinafter referred to as the “AML Directive” and the Polish Act of March 1, 2018 on counteracting money laundering and terrorism financing, the “AML Act”.
  3. Legally justified interest of the administrator – i.e. Art. 6 section 1 letter f) GDPR, including, among others: on improving the quality of services and adapting them to the needs of users, interested persons, website visitors or responding to your requests, increasing the effectiveness of the website and services, ensuring the security of the Data Administrator’s website, sending a newsletter, marketing the Data Administrator’s own products.

Providing personal data by users is voluntary, but necessary to use the Data Administrator’s services provided via the website or mobile application.

Most of the time, we obtain personal data directly from you, via our website or mobile application, by visiting it and tracking your activity on our website or mobile application and providing the data necessary to set up an account and verify your identity on our website.

Personal data of persons visiting the Data Administrator’s website will be processed from the moment you visit the website. If you do not accept this Policy, please do not continue to use it and leave the website.

In other cases, we process personal data that you provide when sending inquiries via the contact form.

IV Your Rights

In connection with the processing of personal data, you have the following rights:

  1. The right to access data – the data subject has the right to obtain from us confirmation whether his or her personal data is being processed and, if so, to request access to his or her personal data. Access information includes, but is not limited to: purposes of data processing, categories of personal data processed and recipients or categories of recipients to whom your data has been or will be disclosed. However, this is not an absolute right, and your right of access may limit the interests of other people. You have the right to receive a copy of your personal data undergoing processing. Receiving the first copy of your data is free of charge.
  2. The right to correct data – the data subject has the right to request the Data Controller to immediately correct inaccurate personal data concerning him or her;
    the right to request deletion of data – the data subject has the right to request the Data Controller to immediately delete his or her personal data, and the Data Controller is obliged to delete personal data without undue delay if one of the conditions specified by law occurs.
  3. The right to limit processing – the data subject has the right to request from the Data Administrator to limit processing in the following cases:
    a) the data subject questions the accuracy of the personal data – for a period enabling the Data Controller to check the accuracy of the data;
    b) the processing is unlawful and the data subject objects to the deletion of the personal data and requests instead the restriction of their use;
    c) The Data Controller no longer needs the personal data for the purposes of processing, but they are needed by the data subject to establish, pursue or defend claims;
    d) the data subject has objected to the processing – until it is determined whether the legally justified grounds on the part of the Data Controller override the grounds for the data subject’s objection.
  4. The right to object – the data subject has the right to object at any time related to his or her particular situation. This is not an absolute right and does not apply in certain situations, for example where data processing is necessary for the defense of legal rights in legal proceedings.
  5. The right to transfer data – the data subject has the right to receive personal data concerning him or her in a structured, commonly used and machine-readable format, which he or she provided to the Data Controller, and has the right to send these personal data to another controller without any hindrance from the Data Controller, after meeting the conditions specified by law.
  6. The right to lodge a complaint with the supervisory authority – the data subject has the right to lodge a complaint with the supervisory authority; You can exercise this right in a situation where it is presumed that we are processing your personal data in an unjustified manner or in contradiction with generally applicable legal provisions.

If you wish to exercise any of your rights described above or have any questions regarding the processing of your personal data, please contact us via:

e-mail: Patryk Kadlec, [email protected]

registered letter: Plugpay Sp. z o. o. Porcelanowa 23 Street, 40-246 Katowice, Poland.

For security reasons, we may require that your requests be in writing. We may also refuse to comply with your requests if we have reasonable grounds to believe that they are unfair, unfeasible or may threaten the privacy of others.

V Data transfer

If necessary, the Data Administrator may transfer your personal data for processing to the third parties indicated below:

  1. business partners, banks, payment operators, it is necessary in connection with our business activities, in particular in order to implement our contractual relations with such third parties, service and provide appropriate services, comply with applicable legal provisions and security requirements, communicate with you and third parties, compliance with the Data Controller’s financial obligations and responding to legal requests and demands;
  2. processors

The Data Administrator may conclude written contracts entrusting the processing of personal data with another entity (Processor). The right to conclude such contracts results from legal provisions. Processing entities may include in particular entities such as: companies providing IT services, auditing companies, accounting offices, entities providing employee outsourcing, entities offering customer service software, entities providing e-mail services (Google Inc.), server hosting services.

Processors will be subject to contractual obligations to implement appropriate technical and organizational security measures to secure the data of interested persons and users and to process this data only in accordance with the instructions of the Data Controller.

Your data is transferred to the following entities with which PlugPay Sp. z o. o. concluded appropriate agreements in this regard:

Qarbon IT Sp. z o. o., Hutnicza 6 Street, 40-246 Katowice, Poland, in the scope of technical service of the system platform;

Seon Technologies Kft, Magyarország, 1072 Budapest Rákóczi út 42. 7. EM, Hungary, in the field of tools supporting payment processing;

Paymento Financial S.A., Browarowa 23 Street, 43-100 Tychy, Poland, in the field of tools supporting payment processing;

ING Bank Śląski S.A., Sokolska 34 Street, 40-086 Katowice, Poland, in the field of payment processing;

Tradedoubler AB, Birger Jarlsgatan 57A Street, 113 56 Stockholm, Sweden, for the operation of the affiliate program;

GetResponse Sp. z o. o., Arkońska 6 A3 Street, 80-387 Gdańsk, Poland, in the field of e-mail marketing.

In addition, the personal data provided by you may be made available to competent public authorities if required by current law;

Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland, for marketing on Meta Platforms.

VI Security measures

Your personal data is stored and secured in accordance with the principles set out in applicable law. The Data Controller takes appropriate measures to:

  1. ensuring protection of personal data against loss, unauthorized access, use, destruction, modification or disclosure,
  2. ensuring appropriate technical and organizational security,
  3. protection of personal data in accordance with the level of risk and special categories of personal data.

Taking into account the current state of technology, costs, nature, scope, context and purposes of processing operations, as well as the rights and freedoms of natural persons, the activities will include, in particular, pseudo-anonymization and encryption of personal data, measures to ensure confidentiality, integrity, availability and resilience, measures to restore personal data and procedures for regularly testing, assessing and assessing the effectiveness of security measures.

VII Storage period

Taking into account the guiding principles of the GDPR, in particular the principle of purpose limitation, storage limitation and the principle of data minimization, we process your personal data only for a period no longer than necessary to achieve the purposes of processing and permitted by law. After achieving the purpose of processing, your personal data will be deleted, if permitted by law. Depending on the legal basis for processing your personal data, there may be different data storage periods.

Your personal data will be stored until the claims expire or until the obligation to store data under the law (in particular the AML Directive and the AML Act) expires.

Personal data of interested persons will be processed until the consent is withdrawn or after the Data Administrator has responded to the interested person (if possible under the law).

Users’ personal data will be stored for the duration of the contract, until the claims expire and for 5 years after the end of the business relationship/cooperation.

VIII Age Policy

Our Services are not directed to persons under the age of eighteen (18). We do not intend to process the personal data of such persons. If you are under 18 years of age, please do not use the Services or submit any information about yourself to us. If we become aware that we are processing personal data of a person under 18 years of age, we will delete such data as soon as possible.

IX Amendments

We may change the content of this Privacy Policy from time to time. You will be notified of any changes by posting the current, amended version of the Privacy Policy. We recommend that you regularly verify the content of the Privacy Policy.

Version 1.11 of November 21, 2023