Privacy Policy

Effective as of 07.01.2019

This Privacy Policy describes the rules according to which Pocopay processes the personal data of any person using the Pocopay app and/or any person using any services offered by Pocopay.

1. Definitions

In addition to terms defined elsewhere in this Privacy Policy, the following capitalized terms shall have the following meanings in this Privacy Policy:

Terms defined hereunder:

Card: Your payment card issued by Pocopay

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

Payment Account: Your payment account at Pocopay

Payment Account Terms: the Payment Account Terms available on the pocopay.com website

Pocopay: AS Pocopay, a company established under the laws of Estonia, registry code 12732518, address Pärnu mnt 18, Tallinn, 10141, Estonia

Policy: this Privacy Policy

TopUp Card: a payment card other than Your Pocopay Card which the You use for adding funds to Your Payment Account

You: any person using the Pocopay app and/or any person using any services offered by Pocopay

Terms defined in the Payment Account Terms:

Child: has the meaning given to it in the Payment Account Terms

Child Account: has the meaning given to it in the Payment Account Terms

2. What are the principles of processing my personal data?

Upon processing Your personal data, Pocopay follows the following principles:

2.1. Pocopay processes Your personal data only in accordance with this Policy and applicable laws;

2.2. Pocopay collects and processes Your personal data only for the purposes stipulated in this Policy;

2.3. Pocopay makes sure that the personal data which Pocopay collects and processes is:

2.3.1. adequate, relevant and limited to what is necessary for the purposes stipulated in this Policy;

2.3.2. accurate and up to date; and

2.3.3. stored only for such period as is necessary for the purposes stipulated in this Policy.

2.4. Pocopay applies appropriate technological and organizational measures to ensure the availability, authenticity, integrity and confidentiality of Your personal data.

3. What kind of personal data does Pocopay collect?

3.1. The personal data, which Pocopay collects and processes includes the following:

3.1.1. Personal Details – Your personal details, including Your full name, date of birth, personal identification code, citizenship, residency, residential address, e-mail address, mobile phone number, occupation, photo and/or video footage of Yourself, which You have forwarded Pocopay for the purpose of identifying Yourself.

3.1.2. Identification Document Data – Data retrieved from Your identification document which You have forwarded to Pocopay, including the document number, issue date, expiry date and issuing entity, photo and/or video footage of Your identification document, which You have forwarded Pocopay for the purpose of identifying Yourself.

3.1.3. Due Diligence Data – Data which Pocopay collects for the purpose of conducting customer due diligence under applicable anti-money laundering laws from Yourself and appropriate databases, including information about whether You have been affiliated with money laundering or terrorist financing, whether You have been prosecuted for a crime, whether You have been subject to any international financial sanctions, whether You have held a public office or whether You are a close relative or associate of someone who has held public office.

3.1.4. Transaction Data – Details of any transfers made to and from Your Payment Account, including the name and account number of the payer and the payee, the date, time, currency, amount and explanation of the transaction.

3.1.5. Card Data – Your Card data, including Your Card’s number, the name on Your Card and the expiry date of Your Card and the CVV number of Your Card (the 3-digit number on the back of Your Card).

3.1.6. Top-Up Card Data – Details of Your Top-Up Card Data, including the first 4 digits of Your Top-Up Card’s number, the name on Your Top-Up Card and the expiry date of Your Top-Up Card.

3.1.7. Device Data – Information regarding the device on which You are is using the Pocopay app, including the device’s model, name or any other identifier and the IP address of the network from which You are using the Pocopay app.

3.1.8. Preference Data – Your preferences in the Pocopay app (language preferences, transaction limits, etc).

3.1.9. Contact Data – The contacts list on Your device.

3.1.10. Customer Support Data – Communication between You and Pocopay’s customer support (e-mails and chat logs).

3.1.11. Usage Data – Data about Your interaction with the Pocopay app (e.g. information about which features of the Pocopay app do You use, which features You do not use, etc).

3.1.12. Tax Residency Data – Data about Your tax residency.

3.1.13. Other Data – Other data not listed in this Section 3.1, which is generated as a result of using the Pocopay app (e.g. gif-images added to payments, comments added to claims, etc).

4. Why does Pocopay collect and process my personal data?

4.1. Pocopay collects and processes Your personal data for the following purposes:

4.1.1. Compliance Purposes – to perform an obligation under applicable laws, including the obligation to:

  • (a) avoid money laundering, terrorist financing and fraud;
  • (b) ensure the fulfilment of international financial sanctions;
  • (c) ensure the security of Pocopay’s payment services;
  • (d) provide tax authorities data as required under tax information exchange laws;
  • (e) comply with the lawful inquiries and orders of:
    • (i) public authorities with whom Pocopay is obliged to cooperate under applicable laws, such as courts, bailiffs, trustees in bankruptcy, the police, financial supervisory authorities, financial intelligence units, tax authorities, etc;
    • (ii) other financial institutions with whom Pocopay is obliged to cooperate under applicable laws, including, upon Your prior authorization, payment information service providers and payment initiation service providers.

4.1.2. Contractual Purposes – to perform or enter into a contract between You and Pocopay.

4.1.3. Fraud Monitoring Purposes – to monitor and reduce payment fraud.

4.1.4. Analytical Purposes – to gain a better understanding of the preferences of Pocopay’s customers and how do customers interact with the Pocopay app.

Note that upon processing Your data for Analytical Purposes, Your data is part of a large mass of data. Pocopay does not analyse Your individual preferences or Your individual interaction with the Pocopay app.

4.1.5. Marketing Purposes – to send You marketing e-mails of Pocopay’s products and services.

4.1.6. Additional Features – to provide You additional features of the Pocopay app which require Your consent:

  • (a) Show Others Feature – the feature, which shows other Pocopay users that You are a Pocopay user;
  • (b) Scan Contacts Feature – the feature, which shows You which of Your contacts are Pocopay users.
  • (c) Card Details Update Feature – the feature, which automatically updates Your Card data with MasterCard and the online merchants with whom You have saved Your Card data.

5. Does Pocopay process my personal data for profiling or automated decision making?

Pocopay does not process Your personal data for automated decision making. Pocopay is, however, obliged under law, to assess the risk of money laundering, terrorist financing and fraud associated with You and Your transactions. This assessment is partly conducted by automated means and involves profiling.

6. What kind of personal data is used for which purposes?

6.1. Pocopay processes the following data for the following purposes:

6.1.1. Personal Details – Compliance Purposes, Contractual Purposes, Fraud Monitoring Purposes, Analytical Purposes and, upon Your prior consent, also for Marketing Purposes and/or the Show Others Feature.

6.1.2. Identification Document Data – Compliance Purposes.

6.1.3. Device Data – Compliance Purposes, Contractual Purposes and Analytical Purposes.

6.1.4. Transaction Data – Compliance Purposes, Contractual Purposes, Fraud Monitoring Purposes and Analytical Purposes.

6.1.5. Preference Data – Contractual Purposes and Analytical Purposes.

6.1.6. Card Data – Contractual Purposes, the Card Auto-Update Feature.

6.1.7. Top-Up Card Data –Contractual Purposes.

6.1.8. Contact Data – the Scan Contacts Feature.

6.1.9. Due Diligence Data – Compliance Purposes.

6.1.10. Customer Support Data – Contractual Purposes and Analytical Purposes.

6.1.11. Usage Data – Analytical Purposes.

6.1.12. Tax Residency Data – Compliance Purposes.

6.1.13. Other Data – Contractual Purposes.

7. On which grounds does Pocopay processes my personal data?

7.1. Pocopay processes Your personal data under the following lawful grounds:

7.1.1. Compliance Purposes – GDPR art 6 ( 1 ) ( c ), as relevant processing is necessary for compliance with obligations stipulated in applicable laws to which Pocopay is subject.

7.1.2. Contractual Purposes – GDPR art 6 ( 1 ) ( b ), as relevant processing is necessary for the performance or entry into a contract between You and Pocopay.

7.1.3. Fraud Monitoring Purposes – GDPR art 6 ( 1 ) ( f ), as Pocopay has sufficient legitimate interests to conduct relevant processing – to monitor and reduce payment fraud.

7.1.4. Analytical Purposes – GDPR art 6 ( 1 ) ( f ), as Pocopay has sufficient legitimate interests to conduct relevant processing – to gain a better understanding of the preferences of Pocopay’s customers and how do customers interact with the Pocopay app.

7.1.5. Marketing Purposes – GDPR art 6 ( 1 ) ( a ), as relevant processing is based on Your consent.

7.1.6. Additional Features – GDPR art 6 ( 1 ) ( a ), as relevant processing is based on Your consent.

8. Which of Pocopay’s data processing operations need my consent?

8.1. Pocopay needs Your consent for processing Your personal data for the following purposes:

8.1.1. Marketing Purposes;

8.1.2. Additional Features.

8.2. Pocopay does not process Your personal data for the purposes stipulated in Section 8.1 above unless You have granted Pocopay Your prior consent.

8.3. If Pocopay would want to process Your personal data for any new purpose, which requires Your consent, then Pocopay will not process Your personal data for such new purpose, before Pocopay has received Your consent for such processing.

9. How can I withdraw my consent for processing my personal data?

9.1. You can withdraw Your consent for processing Your personal data at any time as follows:

9.1.1. Additional Features:

  • (a) Show Others Feature – go to Your profile in the Pocopay app, select settings, toggle the button for “Show others I’m a Pocopay user”;
  • (b) Scan Contacts Feature – go to Your phone’s settings, select Privacy, select Contacts, toggle the button for “Pocopay” (may vary depending on the operating system of your phone);
  • (c) Card Details Update Feature – contact Pocopay’s customer support at support@pocopay.com (a button to toggle the feature on and off will be added soon);

9.1.2. Marketing Purposes:

  • (a) go to Your profile in the Pocopay app, select settings, toggle the button for “Allow Pocopay to send me marketing e-mails”.

9.2. The withdrawal of Your consent does not affect the legality of processing Your personal data prior to the withdrawal of Your consent.

10. Am I obliged to provide Pocopay my personal data under law?

No, there is no statutory obligation for You to provide Pocopay Your personal data. However, there are statutory obligations for Pocopay to collect Your personal data.

11. Is providing Pocopay my personal data a precondition for receiving Pocopay’s services?

Yes, in order for Pocopay to provide You its services, Pocopay needs to collect and process Your personal data. In case Pocopay is not able to collect or process Your personal data, Pocopay will not able to provide You its services. Pocopay does not, however, need Your Contact Data to provide You its services. Contact Data is only required to enable the Scan Contacts Feature.

12. What other sources besides myself does Pocopay use for collecting my personal data?

Pocopay collects Due Diligence Data from sources other than Yourself. Such sources include databases of people affiliated with money laundering or financing terrorism, databases of people, who have been accused of a crime, databases of people subject to international financial sanctions, databases of people who have held a public office, etc. Some of these databases are publicly available and some of them are not.

13. How long does Pocopay store my personal data?

13.1. Pocopay stores Your personal data for the following periods:

13.1.1. Transaction Data – 8 years after Your Payment Account is closed.

Pocopay is obliged to store this data for such period under accounting and taxation laws.

13.1.2. Personal Details, Identification Document Data, Due Diligence Data, Card Data, Top‑Up Card Data, Tax Residency Data – 5 years as of closing Your Payment Account, which, upon the request of the Estonian Financial Intelligence Unit may be extended up to another 5 years.

Pocopay is obliged to store this data for such period under anti-money laundering laws or, with regard to Tax Residency Data, under relevant tax information exchange laws.

13.1.3. Device Data, Preference Data, Other Data – Deleted shortly after the termination of Your Payment Account.

Pocopay needs to store this data for such period for Your Payment Account and Pocopay app to function.

13.1.4. Usage Data, Customer Support Data – 1 year as of its creation.

Pocopay stores this data for such period as within this period the data is still relevant for Analytical Purposes.

13.1.5. Contact Data – not stored at all.

Pocopay does not store Your Contact Data. The Scan Contacts Function scans Contact Data directly from Your phone.

13.2. After the periods stipulated in this Section 13.1 above Pocopay will delete Your personal data.

14. Where does Pocopay store my personal data?

Pocopay stores Your personal data on servers located within the European Economic Area. Pocopay’s partners may, however, store Your personal data on servers located outside the European Economic Area or otherwise process Your personal data outside the European Economic Area. In such case Pocopay applies the additional safeguards referred to in Section
18.1.3.

15. What are my rights in connection with my personal data?

15.1. In connection with the processing of Your personal data, You have the following rights:

15.1.1. Right to Information – You have the right to receive the information provided in this Policy. The valid version of this Policy will be available on the pocopay.com website at any given time.

15.1.2. Right to Access – You have the right to ask Pocopay to provide you with a copy of Your personal data which Pocopay processes.

15.1.3. Right to Rectification – You have the right to ask Pocopay to rectify Your personal data in case the data is incorrect or incomplete.

15.1.4. Right to Erasure – You have the right to ask Pocopay to erase Your personal data, unless Pocopay is obliged to continue processing Your personal data under law or under a contract between You and Pocopay, or in case Pocopay has other lawful grounds for the continued processing of Your personal data. In accordance with Section 13, Pocopay will, in any case, delete Your personal data as soon as it no longer has lawful grounds for processing Your personal data.

15.1.5. Right to Restriction – You have the right to ask Pocopay to restrict the processing of Your personal data in case the data is incorrect or incomplete or in case Your personal data is processed unlawfully.

15.1.6. Right to Data Portability – You have the right to ask Pocopay to provide You or, in case it is technically feasible, a third party, Your personal data, which You Yourself have provided Pocopay and which is processed in accordance with Your consent or a contract between You and Pocopay.

15.1.7. Right to Object – You have the right to object to processing Your personal data in case You believe Pocopay has no lawful grounds for processing Your personal data. For any processing conducted in accordance with Your consent, You can always withdraw Your consent by following the instructions set out in Section 9.1.

15.1.8. Right to File Complaints – You have the right to file complaints regarding Processing Your personal data as further described in Section 22.

15.2. You can exercise Your rights stipulated in this Section 15 by using the respective functionalities of the Pocopay app or sending a respective request to privacy@pocopay.com. In case You wish to transfer Your Payment Account to another service provider, then, instead of using Your Right to Data Portability, You may find it easier to do so by following these instructions.

15.3. Pocopay will make its best efforts to respond to Your application submitted in accordance with this Section 15 within 1 week. Under GDPR art 12 ( 3 ) Pocopay must respond to Your application within 1 month. In case it is necessary due to the number and complexity of applications filed with Pocopay, Pocopay may, under GDPR art 12 ( 3 ), also respond to Your application within 3 months.

16. How does Pocopay process the personal data of my Child in case I open a Child Account?

16.1. In case You open Your Child a Child Account, then Pocopay will process the personal data of Your Child the same way as it processes Your personal data as described in this Privacy Policy.

16.2. However, different from processing Your personal data, Pocopay will not process Your Child’s personal data for Marketing Purposes. This means Pocopay will not send Your Child marketing messages – despite the fact that Your Child might see a marketing consent toggle in his/her Pocopay app under his/her profile and settings.

16.3. You may close Your Child’s Child Account at any time by sending a respective application to support@pocopay.com.

17. Who else, besides Pocopay, may receive my personal data?

17.1. Upon processing Your personal data, Pocopay may share elements of Your personal data with the following third parties:

17.1.1. public authorities and other financial institutions whom Pocopay is obliged to disclose Your personal data under law;

17.1.2. server hosts who host Pocopay’s servers;

17.1.3. payment processors and payment network operators who process Your transactions;

17.1.4. identification service providers who help Pocopay verify Your identity and acquire Due Diligence Data;

17.1.5. card manufacturers who manufacture Your Card;

17.1.6. communication service providers who facilitate e-mails, calls, SMS messages and other communication between You and Pocopay;

17.1.7. couriers who help Pocopay deliver You letters (e.g. letters with Your Card and PIN codes);

17.1.8. partners, with whom Pocopay has arranged You a gift, a discount or another special offer;

17.1.9. other parties involved with the provision of Pocopay’s services.

17.2. The partners listed in Section 17.1 above may be located within and outside of the European Economic Area. In case any of the partners listed in Section 17.1 above is located outside of the European Economic Area, Pocopay applies the additional safeguards referred to in Section 18.1.3.

18. Which safeguards does Pocopay apply upon sharing my personal data with third parties?

18.1. Upon sharing Your personal data with third parties, Pocopay will apply the following safeguards (except as specified in Section 18.2):

18.1.1. Pocopay enters into a data processing agreement with the relevant third party;

18.1.2. Pocopay makes sure that such third party undertakes to implement appropriate technical and organizational measures ensuring the processing of Your personal data in accordance with this Policy and applicable laws;

18.1.3. Pocopay makes sure that:

  • (a) the third party is established in a jurisdiction which the European Commission has recognized as ensuring an adequate level of personal data protection; or;
  • (b) the processing of Your personal data is subject to other appropriate safeguards stipulated in the GDPR.

18.2. Pocopay cannot apply the safeguards stipulated in Section 18.1 above upon sharing Your personal data with public authorities and other financial institutions whom Pocopay is obliged to disclose Your personal data under law.

19. How may this Policy be amended?

Pocopay may unilaterally amend this Policy from time to time. Upon amending this Policy, Pocopay will notify You about the new Policy by e-mail and/or via the Pocopay app. In case the new Policy refers to processing Your personal data for any new purpose, which requires Your consent, then Pocopay will not process Your personal data for such new purpose, before it has Your consent for processing Your personal data for such new purpose.

20. Where can I find the valid version of this Policy?

The valid version of this Policy is available on the pocopay.com website at any given time. The valid version of this Policy will also be available to You via the Pocopay app, provided that Your Pocopay app is updated to the latest version.

21. Who is the data controller of my personal data?

The data controller of Your personal data is AS Pocopay, a company established under the laws of Estonia, registry code 12732518, address Pärnu mnt 18, 10141 Tallinn, Estonia.

22. Where can I file inquiries, request and complaints in connection with processing my personal data?

22.1. In case You have inquiries, requests or complaints regarding the processing of Your personal data, You may forward them to at privacy@pocopay.com.

22.2. In case You have complaints regarding the processing of Your personal data, You may file them with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or the Data Protection Authority of the state in which You have permanent residence.

23. Where can I reach Pocopay’s data protection officer?

You may contact Pocopay’s data protection officer at privacy@pocopay.com.