As of May 25, 2018, European Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and the free movement of such data (“the Regulation” or “the GDPR”) is applicable. Its main goal is to increase the level of protection of personal data and create climate of trust which allows each individual to control their own data.
WHO WE ARE
PayByFace SRL (hereinafter referred to as “PayByFace” or “the Controller”), a limited liability company, registered in Romania, having registration number J40/15002/2019, fiscal code RO41854280, registered in Bucharest, Sos. Colentina Nr. 8, Bl. 5, Entrance 4, Floor 3, Apt: 148-1, Sector 2, as Operator, processes your personal data when you use:
- our websites at www.paybyface.io;
- the PayByFace Consumer app;
- the PayByFace eShop/Promo Manager app;
- the PayByFace Delivery Crew app;
- the PayByFace Merchant Kiosk mPOS app; and/or
- any of the services you can get access on the PayByFace platform (our products and services).
As mentioned above, we are the ‘data controller’ of your personal information, according to the data protection regulation.
Contact data of the person in charge with attributions in the privacy field are; name: Mihai Teodorescu; email: firstname.lastname@example.org.
You must be at least 18 years of age to enter into this agreement.
Your BIOMETRIC data represents a mathematical model (which allows facial recognition) of your facial characteristics and is encrypted. Biometric data is considered to be sensible/special data which should benefit of an enhanced protection according to GDPR.
Read this policy carefully to understand our data practices and how we treat them. If you do not agree to any of these practices, do not access the services provided by this platform.
If after reading this agreement in its entirety you are still unsure of anything or you have any questions, please feel free to contact us at email@example.com.
PRINCIPLES OF PROCESSING
Protecting and respecting your privacy is one of our constant concerns.
The processing of your personal data will be done in a legal, correct and transparent manner.
The purpose for which we collect your personal data are specified, explicit and legitimate and your personal data will not be further processed in a manner that may be incompatible with those purposes.
We shall collect your personal data in an appropriate manner; personal data collected shall be relevant and limited to the information required for the purpose of the processing, accurate and, where necessary, updated.
We are committed to take all necessary steps to ensure that incorrect data is erased or corrected.
Personal data will be retained for a period no longer than the one in which personal data is processed, except for the circumstances imposed by law where retention may be necessary and subsequently.
Personal data will be kept confidential; storage of such will be made in a manner that provides the necessary security.
Personal data will be shared with third parties only if it is required for the purpose of providing services under agreements.
Persons concerned have the right to request access to personal data, rectification and erasure, impediment or restriction of data processing and the right to data portability.
TYPE OF PERSONAL DATA PROCESSED
We may process personal data like:
- Contact details (name, surname, email address, phone number, merchant store address)
- Biometric data (facial characteristics, images and videos) to generate biometric template.
- Account login (username and password)
- Merchant’s store profile photo
- Technical information like the internet protocol (IP) address used to connect your computer to the internet, the browser type and version, your log-in information, the time-zone setting, the operating system and platform, the type of device you use, or the mobile phone number used by the device, mobile network information, your mobile operating system, the type of mobile browser you use and so on;
- Information about your GPS location
PURPOSES OF PROCESSING
Our primary goal in collecting personal information is to provide you with a safe, efficient and personalized experience. We use personal information to create, develop, operate, deliver and improve our services as provided in the Terms & Conditions and
- To create your PayByFace platform User account, to identify you as a platform user and give you access to the various features and services available to you as a registered user.
- Verifying your identity/biometric recognition.
- Responding to your queries, claims or disputes.
- Detecting, investigating, preventing or remediating violations of your agreements with us.
- To comply with legal and regulatory requirements.
LEGAL BASIS FOR PROCESSING
PayByFace processes your personal information on the bases set out below:
- Keeping to our agreement with you – We need certain personal information (herein included too your Biometric data) to provide our services and cannot provide them without this information.
- Legal obligations – In some cases, we have a legal responsibility to collect and store your personal information.
- Legitimate interests – We sometimes collect and use your personal information because we have a legitimate reason to have it and this is reasonable when balanced against your right to privacy.
DISCLOSURE OF YOUR PERSONAL DATA
It is possible for us to share the required part of your personal data only to the extent that it is necessary for the following third-party categories:
(a) Subcontractors – companies that offer us products or services, such as: cloud services providers;
(b) Companies involved in the operation of our platform;
(c) Other parties such as public authorities and institutions, accountants, auditors, lawyers and other external professional counselors, if their activity requires their knowledge or where the law requires us to divulge them.
It is possible that we also disclose your personal information to third parties:
(a) In case you request or give us permission to do so.
(b) To persons who can demonstrate that they have the legal authority to act on your behalf.
(c) If it is our legitimate interest to do so in order to manage, expand or develop the commercial activity: (i) in the case of a transfer of an enterprise (we sell part of the business or certain goods), we may disclose your data to the potential buyer of those commercial or commodity activities to ensure that the activity continues; (ii) if PayByFace (or a substantial part of its assets) is acquired by a third party, in which case the personal data held by PayByFace will be one of the transferred assets.
(d) If we have an obligation to disclose your personal data to comply with a legal obligation, any legal request from governmental or executive authorities and as may be necessary to meet certain national security or enforcement requirements law or to prevent certain illegal activities.
(e) To respond to any claim, to protect our rights or a third party, to protect the safety of any person or to prevent any illegal activity.
(f) To protect the rights, property or safety of PayByFace, its employees, PayByFace platform Users, or others.
KEEPING PERSONAL DATA
- PayByFace will keep copies of your personal data in a form that permits identification only as long as:
(i) we maintain an ongoing relationship with you;
When it comes of your biometric data, we only store biometric templates; such data will be processed for no longer than it is absolutely necessary to achieve the purpose for which the data was collected and processed.
In particular, biometric samples used to generate the biometric template may only be processed in the capture and acquisition phases as required for biometric comparison; they may not be stored for longer than it is absolutely necessary to generate the said template.
- In addition, if relevant legal actions are being formulated, we may continue processing your personal data for such additional time in relation to that claim / action.
After the end of the periods in (I), (II) above, each to the extent applicable, we will erase or definitively destroy the relevant personal data, or we will anonymize the relevant personal data.
Also, Users can request the deletion of the account at any time. Following such a request, PayByFace will delete information that is no longer to be stored and will restrict access or use of any information that is still to be kept. Please bear in mind that your right to erasure of your personal data is not an absolute one.
Your personal data will be retained after the period referred to in (I) and (II) above only if it is ordered by internal law and only for the period of time provided for by these regulations, the basis being the legal obligation.
SECURITY OF YOUR PERSONAL DATA
We use appropriate measures to maintain the confidentiality and security of your personal data and to prevent unauthorized access, use, disclosure, alteration or destruction.
Please be aware that these safeguards do not apply to the information you choose to distribute in the public domain, such as social networks owned by third parties.
Your personal data will be processed by our authorized staff or agents only to the extent they are required to know, depending on the specific purposes for which your personal data was collected.
We use Interactive Biometric system, meaning that the data’s subject participation is required to cooperate in the data acquisition phase (as opposed to passive systems which collect data without the data subject’s perceiving or being aware of that).
We store your personal data in operating environments that use reasonable security measures to prevent unauthorized access. We use device management system for all mPOS devices which allows remote wiping functionalities to be applied in case of loss/theft of the device. We respect adequate standards for the protection of personal data.
The personal information you provide when you create an account with PayByFace Platform are encrypted and kept in PayByFace’s cloud accounts in AWS Amazon and Azure. These have their own Privacy Policies in terms of personal data protection which you can find here:
It is important for you to play a role in maintaining the security and security of your personal data. You are responsible for maintaining the confidentiality for any use of your account.
If you become aware of any unauthorized use of your account or any other breach of security regarding personal data you provided to PayByFace, you agree to notify PayByFace immediately.
POSSIBLE RISK FOR PROVIDING BIOMETRIC DATA
Even though we are taking all measure for securing all the personal data provided by Users, there still exist some risks, especially when it comes to sensitive data, such as biometric data. Because we want our Users to be fully informed when it comes to their personal data, in the following we mention by way of example some of such risks:
- Is not excluded the identity theft regardless the technology used;
- Publishing of such data in case the servers are hacked and the utilization of the data for unauthorized purposes (e.g. marketing, statistics, social control and discriminatory usage, biometric identity theft, biometric data forgery etc.), loss of such data, their destruction, modification, disclosure or illegal collection;
- Access to other personal data that may results from the biometric data, such as: race, gender, ethnicity, age, etc.
Nevertheless, please note that we implemented methods for securing the personal data we collect, especially the sensitive data by encrypting and storing them in a form where such information cannot be used to render biometric data in its initial form.
Persons who have not reached the age of 18 are not allowed to request services or any communications on the PayByFace platform.
PERSONAL DATA TRANSFERS
Keeping and processing your personal information as described above may require the transfer of such and / or storage to a destination outside your country of residence to countries within the European Union (the ” EU “) Or the European Economic Area (” EEA “), for example, service providers.
Before transferring your data, we will take the necessary steps to ensure that your personal information will benefit from adequate protection, in accordance with the relevant privacy laws and internal policies of PayByFace.
Your data may be transferred outside the EEA/EU. Transferring your data outside of the European Union is mainly due to the location of our subcontractors. In order to provide you with safe services, we have decided to outsource certain operations to specialized service providers who have a relevant experience in their areas (for example: IT hosting). Some of these providers are established outside the EEA / EU, for example the United States.
By enrolling as a User of the PayByFace platform owned by PayByFace you expressly and unambiguously give your consent to the transfer and storage of your personal data on servers outside your country of residence, including the US, which may have data protection laws different from those in your country.
DATA SUBJECT’S RIGHTS
The right to be informed, access (the data subject has the right to obtain from PayByFace a confirmation that personal data concerning him / her are processed or not, and, if so, he / she has the right to access the data).
This right may be limited or refused, the reason for the refusal or limitation being communicated to the person concerned.
Right of rectification (the data subject has the right to obtain, without undue delay, the rectification of inaccurate personal data concerning him / her). Taking into account the purposes for which the data were processed, it is entitled to obtain the completion of personal data that is incomplete, including by providing an additional statement.
The right to erase data (in situations where (1) the data are no longer necessary for the fulfillment of the purposes, (2) the consent has been withdrawn and there is no other legal basis for the processing, (3) the person opposes the processing and there are no legitimate reasons (4) personal data have been processed unlawfully, the person has the right to obtain the deletion of the data relating to him / her without undue delay).
This right may be limited or refused, the reason for the refusal or limitation being communicated to the person concerned.
The right to restrict processing – the data subject has the right to restrict the processing in the following situations:
(i) contest the accuracy of the data for a period that allows the operator to verify the accuracy of the data;
(ii) the processing is illegal, and the person concerned opposes the deletion of personal data, but instead calls for the restriction of their use;
(iii) no personal data is required for processing, but the data subject requests them for the establishment, exercise or defense of a right in court;
(iv) the data subject opposed to the processing, for the period of time to verify that the legitimate interests of the operator prevail over the rights of the person.
The user has the right to oppose at any time data processing for direct marketing purposes, not to be subject to the automated decision-making process, including profiling – does not have this right if the decision:
(i) is required to conclude or execute a contract between the person concerned and PayByFace;
(ii) is authorized by Union or national law applicable to PayByFace and which also provides for appropriate measures to protect the legitimate rights, freedoms and interests of the data subject;
(iii) is based on the explicit consent of the data subject.
Right to data portability – the data subject has the right to receive the personal data which he/she regards and which he/she has provided in a structured, commonly used and readable form and has the right to request PayByFace to transmit this data to another operator, without obstacles from PayByFace, if the following conditions are met cumulatively:
(i) processing is based on consent or contract and
(ii) processing is carried out by automatic means, in particular if this is technically feasible
The right to file a complaint with PayByFace – the data subject may file a complaint if he / she is unhappy with the processing of his or her personal data or with the way of responding to its request.
Right to file a complaint with the Supervisory Authority – the data subject has the right to file a complaint with the National Supervisory Authority for Personal Data Processing if he is dissatisfied with the processing of his personal data.
Name: National Authority for the Supervision of Personal Data Processing
Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, postal code 010336, Bucharest, Romania
Telephone: +40.318.059.211 or +40.318.059.212
Right to address to justice – the data subject has the right to appeal to competent courts if he is unhappy with the processing of his or her personal data.
Data subject enjoys these rights, irrespective of the legal basis of the processing of his data.
It is possible that our site contain links to and from the websites of our partner networks, advertisers and affiliates. If you access a link to any of these websites, please note that these websites have their own privacy policies and that we cannot be held responsible for those policies. Please check the privacy policies of each website before submitting personal data.
CHANGES TO THIS POLICY
You are not required to provide us with your personal data (biometric data inclusive). However, if you choose not to provide us your personal data, PayByFace app will no longer be accessible to you and / or, as the case may be, we will no longer be able to facilitate and provide the PayByFace payment method and you will not be able to interact with these services; however, you shall be able to use the alternative payment methods freely used by each respective vendor/provider.