Privacy Policy

1. About this Privacy Statement
This is the Privacy Statement of Curtispay. (“Curtispay.” or “we”). It applies to all subsidiaries and branches of Curtispay to the extent that they process personal data.
Curtispay treats personal data which it receives through its websites, portals and any other means with due care and is dedicated to safeguarding any personal data it receives. Curtispay is bound by the General Data Protection Regulation (Regulation (EU) 2016/679).
This Privacy Statement is designed to advise you about the type of information that Curtispay collects and the purposes for which this information is being processed, used, maintained and disclosed.
This Privacy Statement aims to explain in a simple and transparent way what personal data we gather about you and how we process it. It applies to the following persons: • the legal representatives and ultimate beneficial owners of all past, present and prospective Curtispay merchants and other commercial contracting parties such as independent sales agents (also known as referral partners). We are legally obliged to retain personal data of these persons, also for a certain period after the relationship has ended, in compliance with ‘know your customer’ (“KYC”) regulations; • anyone involved in any transaction with our payment institution, including non-Curtispay customers such as consumers/payees of Curtispay merchants; and • anyone visiting the Curtispay website.
We may amend this Privacy Statement to remain compliant with any changes in law and/or to reflect how our business processes personal data. This version was created 8th September 2020.

2. Personal Data
Personal data refers to any information that tells us something about you or that we can link to you. Curtispay processes any information we receive from you, including personal and financial information you provide to us including when you or your business: make a payment, enquire or make an application for Curtispay’s services, register to use and/or use any of our services and when you communicate with us through e-mail, SMS, Any Messenger app, a website or portal, telephone or any other electronic means.
Such information may include you or your customer’s: • name including first name and family name, date of birth, e-mail address, billing address, username, password and/or photograph, address, nationality and country of residence; • card account number, card expiry date, CVC details, bank and/or issuer details; and/or • information relating to any items purchased, including the location of the purchase, the value, the time and any feedback that is given in relation to such purchase.
By processing, we mean everything we can do with this data such as collecting, recording, storing, adjusting, organising, using, disclosing, transferring or deleting. For more information about the way we use your personal data, please refer to Section 4 (“What we do with your personal data”).
You share personal information with us, for example when you: visit our website, complete a(n) (online) (application) form, sign a contract, make a payment or alternatively use our payment services, or contact us through one of our channels.
We also use data that is legally available from public sources such as commercial registers, debtor registers and the media, or data that is legitimately provided by other companies within Curtispay or by third parties.

3. Sensitive data
We do not record sensitive data relating to your health, ethnicity, religious or political beliefs unless it is strictly necessary. When we do it is limited to specific circumstances, for example if you as a customer of an Curtispay merchant make a payment for a membership fee to a political party or religious organisation.

4. What we do with your personal data
We only use your personal data for legitimate business reasons. This includes:
Administration. When you open a merchant account we are legally obliged to collect personal data that verifies your identity (such as a copy of your ID card or passport) and to assess whether we can accept you or your company as a customer. We also need to know your address or phone number to contact you. Managing customer relationships. We may ask you for feedback about our products and services and share this with certain members of our staff to improve our offering. We might also use notes from conversations we have with you online, by telephone or in person to customise products and services for you. Credit risk. To assess the financial position of your company we apply specific risk models that may involve the use of personal data. Personalised marketing. We may send you letters, emails, or text messages offering you a product or service based on your personal circumstances, or show you such an offer when you log in to our website or mobile apps. You may unsubscribe from such personalised offers. You have the right, not to consent or to object to personalised direct marketing or commercial activities, including profiling related to these activities. Providing you with the best-suited products and services. When you visit our website, call our customer service centre or visit a branch, we gather information about you. We analyse this information to identify your potential needs and assess the suitability of products or services. For example, we may suggest investment opportunities suited to your profile. We analyse your payment behaviour, such as large amounts entering or leaving your account. We assess your needs in relation to key moments when a specific financial product or service may be relevant for you, such as starting your first job or buying a home. We assess your interests based on simulations you participate in on our website. Improving and developing products and services: Analysing how you use our products and services helps us understand more about you and shows us where we can improve. For instance, when you open a merchant account, we measure the time it takes until your first transaction to understand how quickly you are able to use your merchant account. We analyse data on transactions between you and our corporate customers (merchants) to offer information services. When Curtispay processes personal data for this purpose, aggregated data may be made available to the Curtispay merchant This merchant cannot identify you from these aggregated data. We analyse the results of our marketing activities to measure their effectiveness and the relevance of our campaigns. Preventing and detecting fraud and data security: We have a duty to protect your personal data and to prevent, detect and contain data breaches. This includes information we are obliged to collect about you, for example to comply with regulations against money laundering, terrorism financing and tax fraud. We may process your personal information to protect you and your assets from fraudulent activities, for example if you are the victim of identity theft, if your personal data was disclosed, or if you are hacked. We may use certain information about you for profiling (e.g. name, account number, age, nationality, IP address, etc.) to quickly and efficiently detect a particular crime and the person behind it. Our merchants may use contact and security data to secure transactions and communications made via remote channels. Internal and external reporting: We process your data for our payment operations and to help our management make better decisions about our operations and services. To comply with a range of legal obligations and statutory requirements (anti-money laundering legislation and tax legislation, for example). Data that we process for any other reason is anonymised or we remove as much of the personal information as possible

5. Who we share your data with and why
Whenever we share personal data internally or with third parties in other countries, we ensure the necessary safeguards are in place to protect it. For this, Curtispay relies on: • EU Model clauses, which are standardised contractual clauses used in agreements with service providers to ensure personal data transferred outside of the European Economic Area complies with EU data protection law. • Privacy Shield framework that protects personal data transferred to the United Kingdom.
To be able to offer you the best possible services and remain competitive in our business, we share certain data both internally as well as outside of Curtispay. This includes:
Curtispay entities – We transfer data across Curtispay businesses and branches for operational, regulatory or reporting purposes, for example to comply with certain laws, secure IT systems or provide certain services (see section 4 (“What we do with your personal data”). We may also transfer data to centralised storage systems or to process it globally for more efficiency.
Independent sales agents – We share information with independent sales agents (referral partners) who act on our behalf.
Government authorities – To comply with our regulatory obligations, we may disclose data to the relevant authorities, for example to counter terrorism and prevent money laundering.
In some cases, we are obliged by law to share your data with external parties, including: • public authorities, regulators and supervisory bodies such as fraud protection agencies and the central banks of the countries where we operate • judicial/investigative authorities such as the police, public prosecutors, courts and arbitration/mediation bodies on their express and legal request • lawyers, for example, in case of a claim or bankruptcy, trustees who take care of other parties’ interests and company auditors.
Financial institutions – When funds are transferred from a payer to a payee, the transaction involves other financial institutions, banks or a specialised financial company. Curtispay may process payments through such other financial institutions. These external organisations may process and store your personal information abroad and we and they may have to disclose your information to foreign authorities to help them in their fight against crime and terrorism. To process payments, we have to share information about the transaction with other financial institution, such as your name and account number. We also share information with financial sector specialists who assist us with financial services like: • payments and credit transactions worldwide • processing electronic transactions worldwide • settling domestic and cross-border security transactions and payment transactions.
Sometimes we share information with banks or financial institutions in other countries, for example when you make or receive a foreign payment.
Third party service providers – When we use other service providers, we only share personal data that is required for the particular task we involve the service provider for. Service providers support us with activities like: • performing certain services and operations • designing and maintenance of internet-based tools and applications • marketing activities or events and managing customer communications • preparing reports and statistics, printing materials and designing products • placing advertisements on apps, websites and social media.
Business transfers – Curtispay may buy or sell business units or affiliates. In such circumstances, we may transfer customer information as a business asset. Without limiting the foregoing, if our business enters into a joint venture with or is sold to or merged with another business entity, your information may be disclosed to our new business partners or owners.
With your permission – Your information may also be used for other purposes for which you give your specific permission, or when required by law or where permitted under the terms of the laws of the relevant jurisdiction.

6. Your duty to provide data
There is certain information that we must know about you so that we can commence and execute our duties as a payment institution and fulfil our associated obligations. There is also information that we are legally obliged to collect. Without this data, we may, for example, not be able to open a payment processing account for your company.

7. How we protect your personal data
We apply an internal framework of policies and minimum standards to keep your data safe. These policies and standards are periodically updated to keep them up to date with regulations and market developments. More specifically and in accordance with the law, we take appropriate technical and organisational measures (policies and procedures, IT security etc.) to ensure the confidentiality and integrity of your personal data and the way it’s processed.
In addition, Curtispay employees are subject to confidentiality and may not disclose your personal data unlawfully or unnecessarily.

8. What you can do to help us keep your data safe
Unfortunately, the transmission of information via the internet in general is not always completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We do our utmost to protect your data, but there are certain things you can do too:
install anti-virus software, anti-spyware software and a firewall on your computer and keep them updated; do not leave verification tokens or your credit card) unattended; keep your passwords strictly confidential and use strong passwords, i.e. avoid obvious combinations of letters and figures; and • be alert online and learn how to spot unusual activity, such as a new website address or phishing emails requesting personal information.

9. How long we keep your personal data
Once you are no longer a customer, we will retain your personal information for a reasonable period, or as otherwise allowed or required by law.

10. Contact us
If you want to know more about Curtispay’s data policies and how we use your personal data, you can send us an e-mail at the following dedicated e-mail address: info@curtispay.com