PRIVACY POLICY

This Privacy Policy (hereinafter – “Policy”) explains how EPS LT, UAB (hereinafter – “EPS”, “we”, “us” or “our”) or our processor(s) (sub-processor(s)) process personal data when payment acceptance mobile device application (the “Application”) is used.

For the purposes of this Policy, EPS may act as the personal data controller or processor. This Policy applies to us and to the Customers who use, have used, intend to use or are otherwise related to services delivered for or while using the Application (hereinafter – the “Services”), as well to natural persons – clients of our Customer(s). In provision of Services, we seek to ensure a high level of personal data privacy and their protection.

Terms used in the policy

“Processor (sub-processor)” shall mean the technology partner of EPS, with which established cooperation ensures provision of Services.

“Customer” (hereinafter – “Merchant”, “user” or “you”) shall mean any natural person who uses, has used, stated an intent to use or is otherwise related to Application or Services. Employees or other authorised representatives of legal entities may also be regarded as a Customer.

“Clients of a Merchant” (hereinafter may be referenced to as the “Buyers”) shall mean natural persons, usually cardholders, who should receive a receipt of sale-purchase transaction via electronic means (e-mail or SMS message).

“Personal data” shall mean any information, directly or indirectly related to a Merchant or a Buyer, making it possible to identify such Merchant or a Buyer.

“Personal data processing” shall mean operation, which is performed upon the personal data: collection, recording, sorting, storage, modification (supplementing and correction), disclosure, use, erasure, destruction or another operation or set of operations.

All Personal data is processed according to the EU General Data Protection Regulation No. 2016/679 (“GDPR”) and other EU, national legal acts providing for additional personal data protection requirements.

If you do not agree with the terms of this policy, please do not access the application.

We reserve the right to make changes to this Policy at any time and for any reason. You are encouraged to periodically review this Policy to stay informed of updates. You will be deemed to have been made aware of, will be subject to, and will be deemed to have accepted the changes in any revised Policy by your continued use of the Application after the date such revised Policy is posted.

This Policy does not apply to the third-party online/mobile store from which you install the Application or make payments which may also collect and use data about you. We are not responsible for any of the data processed by any such third party.

Principles followed while processing personal data

We process Personal data in accordance with the following data processing principles:

• We process personal data in a lawful, fair and transparent manner;
• We collect and process personal data only for established, clear and legitimate purposes;
• We ensure that we collect data only to achieve the established purposes;
• We take measures to ensure that personal data are accurate and, if necessary, we seek to update or correct them;
• We store personal data no longer than necessary to achieve the purposes for which they are collected;
• We process personal data by ensuring their confidentiality and security, including protection against unlawful or unauthorized processing and/or access. We also ensure protection against their accidental disclosure, loss, destruction or damage.

We process the Personal data only if there is a legal basis for such processing, i.e. if processing meets at least one of the following conditions:

• Your consent has been obtained to process your personal data for specific purposes (consent);
• Personal data is processed for the purpose of concluding a contract or fulfilling contractual obligations (contractual obligations);
• For fulfilment of a statutory legal obligation (legal obligation);
• In pursuance of our legitimate interests as those of a personal data controller and service provider, save for cases when your interests are overriding (legitimate interest).

Processing of merchant’s data

Data, which may be processed by EPS or its processor(s) (sub-processor(s)) via or while using the Application or related Services and it depends on the content and materials you use, and includes:

Personal Data

Identifiable information, such as your name, surname (if indicated), your e-mail address, address (if indicated) that is given voluntarily when choosing to access Services related to usage of the Application.

Derivative Data

Information our processor’s (sub-processor’s) servers automatically collect when you access the Application, such as your native actions that are integral to the Application (connection data (technical logs)).

Such data may be treated as personal data only if it could be used, derivatively together with a combination of other data or personal data, to identify a person.

Geo-Location Information

We request access or permission to and track location-based information from your mobile device, either continuously or while you are using the Application, to ensure the security of the Services. If you wish to change our access or permissions, you may do so in your device’s settings. However, please note that geo-location is required for the usability of the Services.

Such data may be treated as personal data only if it could be used, derivatively together with a combination of other data or personal data, to identify a person.

Mobile Device Data

Device information such as your mobile device ID number, model, and manufacturer, version of your operating system, country, location, and any other data you choose to provide.

Such data may be treated as personal data only if it could be used, derivatively together with a combination of other data or personal data, to identify a person.

Processing of buyer’s data

The data subject mentioned hereby is a client of the Merchant (“Buyer”) who is entitled to make a payment to the Merchant for purchased goods or (and) services. Within the scope of provision of our Services, certain data of the Buyer can be processed.

Financial Data

Financial data, such as data related to the payment of the Buyer: card number (masked), expiration date, transaction date and time, transaction amount and other data related to a payment) that the Application may collect when the Buyer purchases, returns, exchanges goods to the Merchant. Such data is processed only in the context of the payment transaction.

Such data may be treated as personal data only if it could be used, derivatively together with a combination of other data or personal data, to identify a person.

Personal Data

Personal data such as name (if indicated in the e-mail address), surname (if indicated e-mail address), e-mail address or (and) telephone number of a Buyer. Such Personal data has to be voluntarily communicated by the Buyer to the Merchant when the Buyer chooses to receive the payment receipt in a digital format. The e-mail address or phone number collected will only be processed for this purpose.

If the Buyer does not wish to provide his e-mail address or phone number, he can choose to scan the QR code on the Application to obtain the digital receipt without disclosing his/her contacts.

Aims for personal data processing

Data processing is mandatory in order to provide the Services. Personal data processing is required so we and our processor(s) (sub-processor(s)) may deliver the following, but not limited to, services:

1. Create and manage your account;
2. Contact you regarding your account;
3. Process payments, refunds and other transactions related to the Application;
4. Increase the efficiency and operation of the Application;
5. Monitor and analyse usage and trends to improve your experience with the Application;
6. Notify you of updates to the Application;
7. Prevent fraudulent or illegal transactions;
8. Request feedback and contact you about your use of the Application;
9. Resolve disputes and troubleshoot problems;
10. Respond to product and customer service requests;
11. Solicit support for the Application;
12. Deliver payment receipts to indicated recipient.

Other types of personal data disclosure

We or our processor(s) (sub-processor(s)) may be required to share Personal data collected in other certain situations. Your personal data may be disclosed as follows:

By law or to protect rights

We or our processor(s) (sub-processor(s)) might be obliged to share collected Personal data by responding to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of yours or others.

We or our processor(s) (sub-processor(s)) may be required to share your information as permitted or required by any applicable law, rule, or regulation. This includes exchanging information with other entities for fraud protection and credit risk reduction.

Third-Party Service Providers

We or our processor(s) (sub-processor(s)) may share your information with third parties that perform services for us or on our behalf, including payment processing, data analysis, e-mail delivery, hosting services, customer service, and marketing assistance. In such case, only the mandatory data might be shared.

Sale of business or bankruptcy

If we or our processor(s) (sub-processor(s)) reorganize or sell all or a portion of our/its assets, undergo a merger, or are acquired by another entity, we may transfer your information to the successor entity. If we go out of business or enter bankruptcy, your information would be an asset transferred or acquired by a third party. You acknowledge that such transfers may occur and that the transferee may decline honour commitments we made in this Policy.

Retention period

We process Personal data only to achieve the purpose(s) of delivering the Services and is retained no longer that it is necessary to achieve that purpose(s).

Personal data is collected, processed and retained for the whole period while the Services are provided. In the event of agreement for Service provision is terminated, Merchant’s Personal data is retained for the 18 (eighteen) months from the date of termination of the above mentioned agreement.

Buyers’ personal data is collected and processed to achieve above indicated purposes (payment receipt delivery) and is retained for the period of 1 month after processing actions to achieve the purposes.

Some data might be retained for a longer period in case we are obliged under the law to retain that data (legitimate interest).

Security of your information

We and our processor(s) (sub-processor(s)) use administrative, technical and physical security measures to help protect your Personal data. We do not store any information that is not required to ensure the reasonable highest level of security of the payment service so that your account remains safe. Moreover, our solution respects the security requirements of the payment schemes (e.g. Visa, Mastercard) and Payment Card Industry (PCI) standards.

Rights of a data subject

You have the following rights in regards to processing of your personal data:

• You have the right to know whether we process your Personal data and, if we do so, to get access to it;
• You may request the rectification of your Personal data if it is incorrect, incomplete or inaccurate;
• You have the right to request the erasure of your Personal data if it is no longer necessary to achieve the purpose of data processing, if you withdraw your consent or other legal background to data processing, if your Personal data is processed illegally or in other circumstances provided for in legal acts on data protection. If the processed Personal data is requested to be erased is necessary on another legal basis, such as for the purposes of performance of a contract or legal obligation, we will not be able to erase them;
• You have the right to request restriction of the processing of your Personal data in the circumstances provided for in legal acts;
• You have the right to receive Personal data that you provided to us in a structured, commonly used and machine-readable format and that are processed on the basis of consent or performance of contractual obligations. You can request that we transmit such data to another controller if that is technically possible;
• You may object to the Processing of personal data where it is processed in our legitimate interest, save for cases when such data is processed for lawful reasons that override the interests of the data subject, or in order to fulfil a legal obligation;
• You have the right to withdraw your consent to the Personal data processing;
• You have the right to lodge a complaint regarding Personal data processing with the State Data Protection Inspectorate (in Lithuania), Data State Inspectorate (in Latvia), Estonian Data Protection Inspectorate (in Estonia) if you suspect that our actions are in breach of legal acts on personal data protection.

Contact us

You can always contact us if you have any questions, you wish to apply for the exercise of your rights as those of a data subject whose data we process, or if you have any complaints about the processing of your Personal data, using the contact details presented on this Policy.

In order to ensure Personal data security, we accept requests for the exercise of data subject’s rights or complaints in writing – by registered mail or by e-mail.

In order to manage the risks and protect your Personal data against accidental loss, disclosure or misappropriation, when you wish to access or receive your Personal data we process, we are obliged to identify you properly.

So we can ask you to come to our office situated at Savanoriu ave. 123A, Vilnius, Lithuania, as well as we can ask you to produce your personal identity document or its notarised copy.

If another person wants to access your Personal data, he/she will be required to present a valid notarised power of attorney you have issued to him.

We analyse and evaluate requests for the exercise of the data subject’s rights each time individually, and we shall inform you on a decision taken without undue delay, in any case no later than within one (1) month as of the receipt of your written request.