Privacy Policy for Smart One Merchant Portal

This Privacy Policy (“Policy”) describes how SO POS Innovative Technologies Limited (3 Cavendish Row, Dublin1, D01 A2T5, Ireland) collects, uses, discloses, transfers, stores, retains or otherwise processes your information when you visit our websites or sign up for a SO POS Innovative Technologies Limited services on Merchant Portal (“Service”).

This Policy comes into force for the Data subject when Merchant Portal is fully or partially deployed on the Data subject’s electronic device.

The Data subject when using Merchant Portal is considered as who has read and accepted the terms of this Policy.

1. Definitions

“Smart One Merchant Portal or Merchant Portal” means resource of SO POS Innovative Technologies Limited via which natural or legal person can submit payment credentials, other details and information, orders to banks and other financial institutions to initiate, accept or effect payments, and use for access to applications provided by SO POS Innovative Technologies Limited.

“Service” means arrangement and technical maintenance for transmission of payment credentials, other details and information, orders to banks and other financial institutions to initiate, accept or effect payments, and for access to applications provided by SO POS Innovative Technologies Limited.

“Personal data” means any information relating to an identified or identifiable natural person (“Data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the identity of that natural person.

“Data subject” means any identified or identifiable natural person, whose Personal data is processed by the Data Controller responsible for the processing.

“Processing” means any operation or set of operations that are performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Data Controller” means a natural or legal person which is responsible for the processing and authorized to determine the purposes and means of the processing of Personal data. SO POS Innovative Technologies Limited is the “Data Controller” of your Personal data that is processed in connection with this Policy.

“Recipient” means a natural or legal person, public authority, agency or another body, to which the Personal data are disclosed, whether a third party or not.

“Third-party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

“Profiling” means any form of automated processing of the Personal data consisting of the use of the Personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

“Consent” means any freely given, specific, informed and unambiguous indication of the Data subject’s wishes by which he/she, by a statement or by clear affirmative action, signifies agreement to the processing of Personal data relating to him or her.

2. Collection of the Personal data

SO POS Innovative Technologies Limited collects information about the Data subject in three ways:

• (i) when the Data subject provides it to us directly;
• (ii) when we gather information while the Data subject is using the Service, and
• (iii) when we collect information from other sources.

Please note that the Personal data we collect and process depend on the Service the Data subject uses.

Below is a description of the types of information that SO POS Innovative Technologies Limited may receive directly from the Data subject.

“Identity Data” includes first name, last name, identity document number, identity document expiry date, identity document issued date, personal identity number (if it is issued), birth date, email address, address and telephone numbers.

“Financial Data” includes bank account and payment card details, which may include the Bank Identification Number (BIN) and the last four digits of the card number, the card type, postcode, expiry date or country of issue.

“Technical Data” includes information obtain from the Data subject’s device or browser (such as IP address, your login data, version and device identifiers, time zone setting and location, browser plug-in types and versions and operating system) as well as how Data subject uses our websites. We may automatically collect data about the Data subject’s equipment, browsing actions and patterns. We collect this personal data by using server logs and other similar technologies. We may also receive data about the Data subject if the Data subject visits other websites employing our cookies.

“Data subject’s Device Data” includes information about the Data subject’s device, including hardware model, operating system and version, device name, unique device identifier, mobile network information, and information about the device's interaction with our Service.

“Due Diligence Data” includes any such information that SO POS Innovative Technologies Limited may need to comply with anti-money laundering or similar legislation, such as identification documents (identity cards, passports or equivalent), pictures of yourself or other information that SO POS Innovative Technologies Limited may be required to collect to verify the Data subject’s identity.

3. Lawful bases for the processing of the Personal data

SO POS Innovative Technologies Limited will only use the Data subject’s Personal data when the law allows us to. Most commonly, SO POS Innovative Technologies Limited will use the Data subject’s Personal data in the following circumstances:

• (i) for the transmission the Data subject’s Personal data via Merchant Portal to our counterparties due to providing payment services.
• (ii) for the performance of a contract, SO POS Innovative Technologies Limited is about to enter into, or has entered into with the Data subject.
• (iii) where it is necessary for our legitimate interests (or those of a third party) and the Data subject’s interests and fundamental rights do not override those interests. We consider and try to balance the possible potential effects (positive or negative) and the Data subject’s rights before processing the Data subject’s Personal data for our legitimate interests; and
• (iv) where we need to comply with a legal or regulatory obligation.

Generally, SO POS Innovative Technologies Limited does not rely on the Consent as a legal basis for processing your Personal data other than some cases when sending direct marketing communications to you via email or text message. You have the right to withdraw the Consent at any time.

Note that SO POS Innovative Technologies Limited may process your Personal data relied on more than one lawful base depending on the specific purpose(s) for which SO POS Innovative Technologies Limited is using your Personal data.

4. Purposes for usage of the Personal data

SO POS Innovative Technologies Limited has set out below, a description of all the purposes for which it will process your Personal data.

• (i) To register the Data subject as a new customer;
• (ii) If the Data subject is using Service (either as our customer or a customer of our customer), to facilitate a transaction;
• (iii) To manage our arrangement with the Data subject;
• (iv) To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
• (v) To deliver relevant website content and advertisements to the Data subject and measure or understand the effectiveness of the advertising we serve to the Data subject;
• (vi) To use data analytics to improve our website, Service, marketing, customer relationships and experiences;
• (vii) To make suggestions and recommendations to the Data subject about Service that may be of interest to the Data subject;
• (viii) To comply with laws and to respond to and comply with requests from the government, regulators and other third parties with legal authority, including but not limited to: anti-money laundering, fraud, anti-terrorism, anti-slavery or similar legislations;
• (ix) To investigate, detect and prevent fraud or crime;
• (x) To exercise or defend legal claims’
• (xi) To manage relationship with the Data subject, including asking the Data subject to leave a review or complete a survey.

5. Disclosures of the Personal data

SO POS Innovative Technologies Limited may share the Personal data described in section 2 for the purposes set out in section 4 with the following Recipients:

• (i) Service providers who provide IT and system administration services.
• (ii) Credit card networks and payment networks such as Visa and MasterCard and any others.
• (iii) Professional advisers who legitimately need to have access to the personal data for a business need.
• (iv) Regulators and other authorities who require reporting of processing activities in certain circumstances.
• (v) Third parties whom SO POS Innovative Technologies Limited engages with in order to facilitate our contract with the Data subject.
• (vi) Third parties to whom SO POS Innovative Technologies Limited may choose to sell, transfer, or merge parts of its business or its assets. Alternatively, SO POS Innovative Technologies Limited may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use the Data subject’s Personal data in the same way as set out in this Policy.
• (vii) The Data subject’s Personal information may be shared with the companies within our SO POS Innovative Technologies Limited’s group. SO POS Innovative Technologies Limited shares information with them, so they can assist us in providing services to the Data subject and to understand more about the Data subject.
• (viii) SO POS Innovative Technologies Limited shall be taken to include any entity that directly or indirectly controls, is controlled by, or is under common control with from time to time, whether located in or outside of the EEA. When SO POS Innovative Technologies Limited transmits Personal data between our group entities located inside and outside of the EEA, this sharing is governed by our intra-group data sharing and processing agreement which is drafted in compliance with the GDPR and includes the relevant safeguards necessary for transfers outside the EEA.
• (ix) SO POS Innovative Technologies Limited requires all third parties to respect the security of the Data subject’s Personal data and to treat it in accordance with the law. SO POS Innovative Technologies Limited does not allow our third-party service providers to use the Data subject’s Personal data for their own purposes and, unless otherwise notified to the Data subject, only permit them to process the Data subject’s Personal data for specified purposes and in accordance with our instructions.

6. International Transfers

Many of SO POS Innovative Technologies Limited external third parties are based outside the European Economic Area (“EEA”) so their processing of the Data subject’s Personal data will involve a transfer of data outside the EEA.

Whenever SO POS Innovative Technologies Limited transfers the Data subject’s Personal data out of the EEA, it will take reasonable steps to ensure that the Data subject’s Personal data is kept secure, including where relevant, by entering into appropriate contractual terms with the receiving party outside the EEA, such as the Standard Contractual Clauses approved by the EU Commission or issued by the UK Information Commissioner’s Office (as applicable) or any other approved mechanisms that may become available to SO POS Innovative Technologies Limited in the future. SO POS Innovative Technologies Limited will also carry out a risk assessment of the laws and practices of the destination country to identify any technical and organisational measures that need to be put in place to ensure that the Data subject’s Personal data is fully protected when transferred to that country.

7. Data security

Data security is extremely important to SO POS Innovative Technologies Limited, and SO POS Innovative Technologies Limited has put in place appropriate security measures (such as encryption, confidentiality obligations of our personnel, log-in records, vulnerability testing etc,) to prevent the Data subject’s Personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, SO POS Innovative Technologies Limited limits access to the Data subject’s Personal data to those employees, agents, contractors and other third parties who have a business need to know.

SO POS Innovative Technologies Limited has put in place procedures and incident management policies to deal with any suspected personal data breach and will notify the Data subject and any applicable regulator of a breach where we are legally required to do so.

8. Duration of retaining the Personal data

SO POS Innovative Technologies Limited will only retain the Personal data for as long as necessary to fulfil the purposes we collected it for, including the purpose of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, SO POS Innovative Technologies Limited considers the relevant laws, amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the Personal data, the purposes for which we process the Personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances SO POS Innovative Technologies Limited may anonymise the Personal data (so that it can no longer be associated with the Data subject) for research or statistical purposes.

9. Automated decision making

SO POS Innovative Technologies Limited may sometimes use systems to make automated decisions about the Data subject or the Data subject’s business to provide the Data subject with a better and safer experience. SO POS Innovative Technologies Limited may use information that it already has or that it can collect from third parties. SO POS Innovative Technologies Limited may use automated decision making to:

• (i) Approve or deny the Data subject applications for its Service or products;
• (ii) Determine pricing and rates for its Service;
• (iii) Provide the Data subject with tailored offers. Detect fraud and comply with anti- money laundering legislation

The Data subject can object to automated decision making and ask that a person reviews it.

10. The Data subject rights

The Data subject has the following rights under data protection laws in relation to his/her Personal data:

• (i) Request access to the Personal data (commonly known as a “Data subject access request”). This enables the Data subject to receive a copy of the Personal data we hold about the Data subject and to check that we are lawfully processing it.
• (ii) Request correction of the Personal data that we hold about the Data subject. This enables the Data subject to have any incomplete or inaccurate data we hold about the Data subject corrected.
• (iii) Request erasure (Right to be forgotten) of the Personal data. This enables the Data subject to ask us to delete or remove the Personal data where there is no good reason for us continuing to process it.
• (iv) Object to processing of the Personal data where we are relying on a legitimate interest (or those of a third party).
• (v) Request restriction of processing of the Personal data. This enables the Data subject to ask us to suspend the processing of the Personal data in the following scenarios:
• (a) if the Data subject wants us to establish the Personal data’s accuracy;
• (b) where the Data subject needs us to hold the Personal data even if we no longer require it as the Data subject needs it to establish, exercise or defend legal claims; or
• (c) the Data subject has objected to our use of the Personal data but we need to verify whether we have overriding legitimate grounds to use it.
• (vi) Request the transfer of the Personal data to a third party. We will provide to the third party the Data subject has chosen, his/her Personal data in a structured, commonly used, machine-readable format.
• (vii) Withdraw Consent at any time where we are relying on Consent to process the Personal Data. However, this will not affect the lawfulness of any processing carried out before the Data subject withdraws his/her Consent. If the Data subject withdraws his/her Consent, we may not be able to provide certain products or Service to the Data subject. We will advise the Data subject if this is the case at the time the Data subject withdraws his/her Consent.
• (viii) Right for the Data subject not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning the Data subject or similarly significantly affect the Data subject. If the Data subject wishes to exercise any of the rights set out above, please contact us via email: support@smartoneglobal.com.

No fee is usually required to access the Personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if the Data subject’s request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with the Data subject’s request in these circumstances.

What we may need from the Data subject is specific information to help us confirm the Data subject’s identity and ensure the Data subject’s right to access the Data subject’s Personal data (or to exercise any of the Data subject’s other rights).

Time limit to respond, in cases of legitimate requests, is one month. Occasionally it may take us longer than one month if the Data subject’s request is particularly complex or the Data subject has made a number of requests. In this case, we will notify the Data subject and keep the Data subject updated.

11. Changes to this Policy

SO POS Innovative Technologies Limited reserves the right to change, modify or amend this Policy at any time, but will not reduce the level of privacy protection contained herein.

This Policy is valid indefinitely until it is replaced by a new version. The current version of this Policy is available on the SO POS Innovative Technologies Limited’s websites.

12. Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about the Data subject. SO POS Innovative Technologies Limited does not control these third-party websites and is not responsible for their privacy statements. When the Data subject leaves our website, we encourage the Data subject to read the Privacy Policy of every website the Data subject visits.

13. Cookies

SO POS Innovative Technologies Limited uses cookies to analyse how the Data subject uses our websites. Please read our Cookie Policy for more information about cookies. Cookies also allow us to collect information such as the Data subject’s IP address, browser, email type and other similar details. We use this information to measure the performance of our email campaigns, and for analytics.

14. The Personal data processing place

SO POS Innovative Technologies Limited stores the Personal data until retention only in the EEA.

In some extra cases data can be sent outside the EEA but only if additional and necessary safety guards would be ensured.

15. Contact

Contact Details of Our UK Branch:
PAW TECH SOLUTIONS LIMITED
85 Great Portland Street, W1W 7LT, London, United Kingdom
contact@smartoneglobal.com
+34 675 03 35 02

16. Language

The English language version of this Policy shall be binding. Any translation or other language version of this Policy shall be provided for convenience only. In the event of a conflict between the English version and any translation or other language version of this y Policy, the English language version shall prevail.