Pay. processes the personal data of Merchants and their representatives, as well as that of people who use Pay.’s services.

If you use Pay.’s services as a Merchant, we will process the following personal data:

• Your full name;
• Your address information;
• Your date of birth;
• Your place of birth;
• Your nationality;
• Your email address;
• Your telephone number;
• Your IP address;
• A copy of the document with which your identity was verified;
• The number, date and place of issue of the document with which your identity was verified;
• Other data that you provided yourself during your communication with Pay.

Note: If you use Pay.’s services as a Merchant and decide to give your employees access to Pay.’s Admin Panel, you must inform them about the fact that you released personal data to Pay.

If you use Pay.’s services as an End User (meaning that you make a payment to a Pay. Merchant via Pay.'s platform), we will process the following personal data:

• Your first and last name;
• Your IP address;
• Depending on the payment method you selected:
  • Your IBAN number;
  • Your card number (credit card payments, Bancontact)
• Depending on the Merchant in some cases:
  • Your address information;
  • Your date of birth;
  • Product information;
  • Address information for the purpose of delivering the product (physically and/or digitally);
  • Billing address;
  • Email address.

Pay. processes personal data because it is necessary to do so in order to provide our services. Pay. processes personal data for the following purposes:

• To enter into a client relationship;
  If you want to become a client of Pay, we will need personal data from the legal representative, ultimate beneficial owner(s), partners, owners, etcetera. We use these data to assess whether we can accept you as a client of Pay. We may also use data that we receive from third parties for this purpose. Collecting these data also serves a legal purpose in accordance with the Financial Supervision Act and the Money Laundering and Terrorist Financing (Prevention) Act.
  
  
• To maintain our relationship with you and execute our agreement;
  When you become a client of Pay, we use your personal data to contact you. We also store recordings, e.g. telephone conversations and chat sessions. We use these recordings as training tools for Pay. employees, as well as a means to prevent crime and as evidence. We will also release your name and IBAN number to third parties in order to facilitate the payment traffic.
  
  
• To protect your and our interests;
  To safeguard the stability and integrity of our financial system, we conduct research to e.g. prevent fraud and/or study cases of fraud. We use your personal data for this purpose, as well as (public) registries and warning systems, newspapers, news alerts and the internet.
  
  
• To process payments;
  When Pay. processes incoming payments, we may sometimes process personal data on our payment screens in order to perform the transaction. In other cases, we will receive your personal data from your own bank.
  
  
• To meet our legal obligations;
  In accordance with applicable laws and regulations, we are required to collect personal data on our Merchants, their representatives and ultimate beneficial owners and the end users who use Pay. to make payments. For example, the Money Laundering and Terrorist Financing (Prevention) Act requires Pay. to research any unusual transactions on its platform. Pay. may also be asked by a government institution (e.g. De Nederlandsche Bank, the police or the Tax Authority) to release your personal data.
  
  
• For our business operations;
  As a payment institution, we want to know who we are dealing with. A good overview of all our client relations is an essential part of this. We may also record which parties you do business with in order to conduct a risk assessment and determine whether we can and/or want to offer our services to you.

Pay. does not record any personal data from it’s Merchants or End Users relating health, criminal matters, ethnicity, religious or political beliefs, unless absolutely necessary. A necessary example being if you make a payment to a pharmacy or to a political party. Information about your health or your political preference can be derived from this.

Pay. does conduct tests at warning systems such as the national reporting center for internet scams or websites, telephone numbers and e-mail addresses if they are negatively registered. We always keep a record of positive or negative reports in our system. This does not concern criminal data.

We request Pay. Merchants and End Users not to share any personal data with us, unless strictly necessary as described above. If you decide to share it with Pay, we will only process this data if this is necessary for our services.

Your personal data are carefully stored for no longer than necessary for the purpose for which they were processed, taking the legal retention period into account. At Pay, your personal data can only be accessed by employees who, given the nature of their function, must have access to these data. All Pay. employees have signed a confidentiality agreement. We do not share your personal data with third parties, unless this ties into the purpose for which you provided the data to us or to meet a legal obligation. Think of e.g. releasing your data to third parties in order to provide our payment services, such as offering payment-in-arrears methods for which the payment method in question needs your personal data to make payment in arrears possible. We may also share your data with the authorities in order to meet our legal obligation to do so. We will not sell or rent out your personal data.

In addition to the organisational measures that Pay. has taken to protect your personal data, i.e. your data are only accessible to Pay. employees who need such access due to the nature of their function, Pay. has also taken various technical measures to secure your data. Our data security measures are regularly assessed. Pay. has a PCI DSS Level 1 certification, among others. Since 2014, we are audited every year by a Qualified Security Assessor and an external accountant.

Pay. has adopted the position that it is a controller of the personal data of our Merchants under the provisions of the General Data Protection Regulation (GDPR), due to the fact that:

• Pay. requires its Merchants to provide certain personal data;
• Pay. has to meet its legal obligations (e.g. the Financial Supervision Act, the Money Laundering and Terrorist Financing (Prevention) Act and the Inheritance Tax Act).

When it comes to processing transactions and therefore the personal data of End Users, Pay. is both a controller and a processor. Pay. has adopted this position due to the fact that:

As a controller:

• Pay. decides what personal data to process for the execution of a payment;
• Pay. processes payments on behalf of our Merchants. To do so, Pay. processes personal data, which we are allowed to do in order to provide our services. Processing payments is a main activity for Pay.

As a processor:

• Pay. requests additional personal data, which we process to facilitate payments via e.g. payment-in-arrears methods. These data (e.g. name and address information and product information) are sent to Pay. by the Merchant. Acquiring these data is necessary in order to provide the aforementioned payment methods.
• Pay. requests additional personal data, e.g. name and address information and product information, in order to facilitate and improve its transaction monitoring and fraud monitoring capabilities.

For the cases in which Pay. acts as a processor of personal data, we have drawn up a processor agreement for our Merchants.