1. INTRODUCTION

As of May 25, 2018, European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data (“the Regulation” or “the GDPR”) is applicable. Its main goal is to increase the level of protection of personal data and create climate of trust which allows each individual to control their own data.

This Privacy Policy contains important information and aims to explain in a simple and transparent way what type of personal data we collect about you, how we process it and your rights regarding the use your personal information.

  1. WHO WE ARE

PAYBYFACE LLC (hereinafter referred to as “the Controller” or “PayByFace”)), a limited liability company, registered in Romania, having registration number J40/15002/2019, fiscal code 41854280, registered in Bucharest, Hrisovului street no. 2-4, building 2, first floor, ap. 88, room 1, Sector 1, as Operator, processes your personal data when you use:

  • our website at www.paybyface.io;
  • the PayByFace smartphone app;
  • the PayByFace Merchant Kiosk Payment system; or
  • any of the services you can get access on the PayByFace platform (our products and services).

As mentioned above, we are the ‘data controller’ of your personal information, according to the data protection regulation.

You must be at least 18 years of age to enter into this agreement.

By accessing and using PayByFace platform and becoming a User, it is assumed that you have read the terms of this Privacy Policy and that you give your consent to process your personal information necessary for such services to be provided.  For the avoidance of any doubt, by agreeing with this Privacy Policy you acknowledge that PayByFace provides through the PayByFace platform a service that helps you make payments by facial recognition. Your biometric data represents a mathematical model of your facial characteristics and is encrypted.

Read this policy carefully to understand our data practices and how we treat them. If you do not agree to any of these practices, do not access the services provided by this platform.

If after reading this agreement in its entirety you are still unsure of anything or you have any questions, please feel free to contact us at privacy@paybyface.io.

  1. PRINCIPLES OF PROCESSING

Protecting and respecting your privacy is one of our constant concerns.

The processing of your personal data will be done in a legal, correct and transparent manner.

The purpose for which we collect your personal data are specified, explicit and legitimate and your personal data will not be further processed in a manner that may be incompatible with those purposes.

We shall collect your personal data in an appropriate manner; personal data collected shall be relevant and limited to the information required for the purpose of the processing, accurate and, where necessary, updated.

We are committed to take all necessary steps to ensure that incorrect data is erased or corrected.

Personal data will be retained for a period no longer than the one in which personal data is processed, except for the circumstances imposed by law where retention may be necessary and subsequently.

Personal data will be kept confidential; storage of such will be made in a manner that provides the necessary security.

Personal data will be shared with third parties only if it is required for the purpose of providing services under agreements.

Persons concerned have the right to request access to personal data, rectification and erasure, impediment or restriction of data processing and the right to data portability.

We do not trade personal data for commercial purposes and we don’t use cookies.

  1. TYPE OF PERSONAL DATA PROCESSED

We may process personal data like:

  • Contact details (name, surname, email address, phone number, postal address, personal data from your identity card/passport/driver’s licence)
  • Biometric (face) template;
  • Account login (username and password)
  • User’s profile photo
  • Technical information like the internet protocol (IP) address used to connect your computer to the internet, the browser type and version, your log-in information, the time-zone setting, the operating system and platform, the type of device you use or the mobile phone number used by the device, mobile network information, your mobile operating system, the type of mobile browser you use and so on;
  • Information about your GPS location
  1. PURPOSES OF PROCESSING

Our primary goal in collecting personal information is to provide you with a safe, efficient and personalized experience. We use personal information to create, develop, operate, deliver and improve our services as provided in the Terms & Conditions and

  • To create your PayByFace platform User account, to identify you as a platform user and give you access to the various features and services available to you as a registered user.
  • Verifying your identity.
  • Responding to your queries, claims or disputes.
  • Detecting, investigating, preventing or remediating violations of your agreements with us.
  • To comply with legal and regulatory requirements.

 

  1. LEGAL BASIS FOR PROCESSING

PayByFace processes your personal information on the bases set out below:

  • Keeping to our agreement with you – We need certain personal information to provide our services and cannot provide them without this information.
  • Legal obligations – In some cases, we have a legal responsibility to collect and store your personal information.
  • Legitimate interests – We sometimes collect and use your personal information because we have a legitimate reason to have it and this is reasonable when balanced against your right to privacy.
  • Consent – by accepting this Privacy policy, you grant us your specific consent on the data processing performed for the purposes detailed above.

 

  1. DISCLOSURE OF YOUR PERSONAL DATA

It is possible for us to share the required part of your personal data only to the extent that it is necessary for the following third-party categories:

(a) Subcontractors – companies that offer us products or services, such as: cloud services providers;

For example, the matching algorithm that makes possible the payment through face recognition is made by our provider Facebanx. When it comes to data protection Facebanx has its own Privacy Policy which you can find here https://facebanx.com/privacy-policy.php. BY AGREEING WITH PAYBYFACE’S PRIVACY POLICY YOU CONFIRM THAT YOU ARE ALSO AWARE AND AGREE WITH FACEBANX’S PRIVACY POLICY.

(b) Companies involved in the operation of our platform;

(c) Other parties such as public authorities and institutions, accountants, auditors, lawyers and other external professional counselors, if their activity requires their knowledge or where the law requires us to divulge them.

Data processing may also be performed by companies acting as Merchants (the store or vendor enrolled to PayByFace) or Providers (banks providing services to Users and enrolled to PayByFace).

It is possible that we also disclose your personal information to third parties:

(a) In case you request or give us permission to do so.

(b) To persons who can demonstrate that they have the legal authority to act on your behalf.

(c) If it is our legitimate interest to do so in order to manage, expand or develop the commercial activity: (i) in the case of a transfer of an enterprise (we sell part of the business or certain goods), we may disclose your data to the potential buyer of those commercial or commodity activities to ensure that the activity continues; (ii) if PayByFace (or a substantial part of its assets) is acquired by a third party, in which case the personal data held by PayByFace will be one of the transferred assets.

(d) If we have an obligation to disclose your personal data to comply with a legal obligation, any legal request from governmental or executive authorities and as may be necessary to meet certain national security or enforcement requirements law or to prevent certain illegal activities.

(e) To respond to any claim, to protect our rights or a third party, to protect the safety of any person or to prevent any illegal activity.

(f) To protect the rights, property or safety of PayByFace, its employees, PayByFace platform Users, or others.

 

  1. KEEPING PERSONAL DATA

PayByFace takes all necessary steps to ensure that your personal data is processed only for the minimum period required for the purposes set forth in this Privacy Policy.

  1. PayByFace will keep copies of your personal data in a form that permits identification only as long as:

(i) we maintain an ongoing relationship with you;

(ii) your personal data is required in connection with the purposes set forth in this Privacy Policy and we have a valid legal basis.

  1. In addition, if relevant legal actions are being formulated, we may continue processing your personal data for such additional additional time in relation to that claim / action.

After the end of the periods in (I), (II) above, each to the extent applicable, we will erase or definitively destroy the relevant personal data, or we will anonymize the relevant personal data.

Also, Users can request the deletion of the account at any time. Following such a request, PayByFace will delete information that is no longer to be stored and will restrict access or use of any information that is still to be kept. Please bear in mind that your right to erasure of your personal data is not an absolute one.

Your personal data will be retained after the period referred to in (I) and (II) above only if it is ordered by internal law and only for the period of time provided for by these regulations, the basis being the legal obligation.

  1. SECURITY OF YOUR PERSONAL DATA

We use appropriate measures to maintain the confidentiality and security of your personal data and to prevent unauthorized acces, use, disclosure, alteration or destruction.

Please be aware that these safeguards do not apply to the information you choose to distribute in the public domain, such as social networks owned by third parties.

Your personal data will be processed by our authorized staff or agents only to the extent they are required to know, depending on the specific purposes for which your personal data was collected.

We store your personal data in operating environments that use reasonable security measures to prevent unauthorized access. We respect reasonable standards for the protection of personal data.

The personal information you provide when you create an account with PayByFace Platform are encrypted and kept in PayByFace’s cloud accounts in AWS Amazon and Azure. These have their own Privacy Policies in terms of personal data protection which you cand find here:

https://aws.amazon.com/privacy/

https://azure.microsoft.com/en-in/overview/trusted-cloud/privacy/

https://azure.microsoft.com/es-es/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/

BY AGREEING WITH PAYBYFACE’S PRIVACY POLICY FOR THE PAYBYFACE PLATFORM YOU CONFIRM THAT YOU ARE ALSO AWARE OF AMAZON’S AND AZURE’S PRIVACY POLICY.

It is important for you to play a role in maintaining the security and security of your personal data. You are responsible for maintaining the confidentiality for any use of your account.

If you become aware of any unauthorized use of your account or any other breach of security regarding personal data you provided to PayByFace, you agree to notify PayByFace immediately.

POSSIBLE RISK FOR PROVIDING BIOMETRIC DATA

Even though we are taking all measure for securing all the personal data provided by Users, there still exist some risks, especially when it comes to sensitive data, such as biometric data. Because we want our Users to be fully informed when it comes to their personal data, in the following we mention by way of example some of such risks:

  • Is not excluded the identity theft regardless the technology used;
  • Publishing of such data in case the servers are hacked and the utilization of the data for unauthorized purposes (e.g. marketing, statistics, etc.), loss of such data, their destruction, modification, disclosure or illegal collection;
  • Access to other personal data that may results from the biometric data, such as: race, gender, ethnicity, age, etc.

Nevertheless, please note that we implemented methods for securing the personal data we collect, especially the sensitive data by encrypting and storing them in a form where such information cannot be used to render biometric data in its initial form.

  1. MINORS

Persons who have not reached the age of 18 are not allowed to request services or any communications on the PayByFace platform.

  1. PERSONAL DATA TRANSFERS

Keeping and processing your personal information as described above may require the transfer of such and / or storage to a destination outside your country of residence to countries within the European Union (the “EU “) Or the European Economic Area (” EEA “), for example, service providers.

Before transferring your data, we will take the necessary steps to ensure that your personal information will benefit from adequate protection, in accordance with the relevant privacy laws and internal policies of PayByFace.

Your data may be transferred outside the EEA /EU. Transferring your data outside of the European Union is mainly due to the location of our subcontractors. In order to provide you with safe services, we have decided to outsource certain operations to specialized service providers who have a relevant experience in their areas (for example: IT hosting). Some of these providers are established outside the EEA / EU, for example the United States.

By enrolling as a User of the PayByFace platform owned by PayByFace you expressly and unambiguously give your consent to the transfer and storage of your personal data on servers outside your country of residence, including the US, which may have data protection laws different from those in your country.

  1. DATA SUBJECT’S RIGHTS

The right to be informed, access (the data subject has the right to obtain from PayByFace a confirmation that personal data concerning him / her are processed or not, and, if so, he / she has the right to access the data).

This right may be limited or refused, the reason for the refusal or limitation being communicated to the person concerned.

Right of rectification (the data subject has the right to obtain, without undue delay, the rectification of inaccurate personal data concerning him / her). Taking into account the purposes for which the data were processed, it is entitled to obtain the completion of personal data that is incomplete, including by providing an additional statement.

The right to erase data (in situations where (1) the data are no longer necessary for the fulfillment of the purposes, (2) the consent has been withdrawn and there is no other legal basis for the processing, (3) the person opposes the processing and there are no legitimate reasons (4) personal data have been processed unlawfully, the person has the right to obtain the deletion of the data relating to him / her without undue delay).

This right may be limited or refused, the reason for the refusal or limitation being communicated to the person concerned.

The right to restrict processing – the data subject has the right to restrict the processing in the following situations:

(i) contest the accuracy of the data for a period that allows the operator to verify the accuracy of the data;

(ii) the processing is illegal and the person concerned opposes the deletion of personal data, but instead calls for the restriction of their use;

(iii) no personal data is required for processing, but the data subject requests them for the establishment, exercise or defense of a right in court;

(iv) the data subject opposed to the processing, for the period of time to verify that the legitimate interests of the operator prevail over the rights of the person.

The user has the right to oppose at any time data processing for direct marketing purposes, not to be subject to the automated decision making process, including profiling – does not have this right if the decision:

(i) is required to conclude or execute a contract between the person concerned and PayByFace;

(ii) is authorized by Union or national law applicable to PayByFace and which also provides for appropriate measures to protect the legitimate rights, freedoms and interests of the data subject;

(iii) is based on the explicit consent of the data subject.

Right to data portability – the data subject has the right to receive the personal data which he/she regards and which he/she has provided in a structured, commonly used and readable form and has the right to request PayByFace to transmit this data to another operator, without obstacles from PayByFace, if the following conditions are met cumulatively:

(i) processing is based on consent or contract and

(ii) processing is carried out by automatic means, in particular if this is technically feasible

The right to file a complaint with PayByFace – the data subject may file a complaint if he / she is unhappy with the processing of his or her personal data or with the way of responding to its request.

Right to file a complaint with the Supervisory Authority – the data subject has the right to file a complaint with the National Supervisory Authority for Personal Data Processing if he is dissatisfied with the processing of his personal data.

Name: National Authority for the Supervision of Personal Data Processing

Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania

Telephone: +40.318.059.211 or +40.318.059.212

Fax: +40.318.059.602

Email: anspdcp@dataprotection.ro

Right to address to justice – the data subject has the right to appeal to competent courts if he is unhappy with the processing of his or her personal data.

Data subject enjoys these rights, irrespective of the legal basis of the processing of his data.

  1. MISCELLANEOUS

It is possible that our site contain links to and from the websites of our partner networks, advertisers and affiliates. If you access a link to any of these websites, please note that these websites have their own privacy policies and that we can not be held responsible for those policies. Please check the privacy policies of each website before submitting personal data.

  1. CHANGES TO THIS POLICY

If we make changes to the way we handle your personal information, we will update this privacy policy. We reserve the right to make changes to our practices and policies at any time. Please check our site regularly to see any updates or changes to our confidentiality policy. All the previous versions of this Privacy policy shall be available on our website.