Privacy Notice for Customers
Effective since 20 December 2023
1.Introduction
1.1.About us. This Privacy Notice provides the essential information on how Paymont, UAB, legal entity code 305673740, registered address at Šeimyniškių g. 19B-701, Vilnius, the Republic of Lithuania (Paymont, we or us) processes personal data of its clients (you or the clients). Paymont is an electronic money institution licensed by the Bank of Lithuania (for more information please visit this website). PAYMONT activities focus on providing payments services to consumers and small and medium-sized companies mainly in Lithuania and the European Economic Area, operators of peer-to-peer lending and crowdfunding platforms, and some other businesses.
1.2.Our commitment to your privacy. At Paymont, we value your privacy and are dedicated to safeguarding the confidentiality and security of your personal information. We understand the importance of maintaining the trust you place in us when you choose to use our services. We are committed to being transparent about how we collect, use, and protect your data. While processing your data, we adhere strictly to the data processing requirements established by the European Union, Lithuania, Czech Republic, Slovakia and other countries where we may operate. Primarily, this entails compliance with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR). Please read this Privacy Notice carefully and do not hesitate to contact us if you have any questions regarding the processing of your personal data.
2.How, why and what data we collect
2.1.How we collect your data. We collect your data directly from you, from other persons and automatically:
- Direct collection is when you interact with us, such as by registering an account, using our services, app, website, submitting forms, or communicating with our team. This includes information you provide voluntarily, such as your name, contact details, payment information, and any other information you choose to share. Where provision of data is necessary to fulfil regulatory or contractual obligations, failure to provide such data may result in the inability to provide the requested services or may prevent us from complying with legal obligations, such as conducting anti-money laundering checks or verifying your identity. For example, if you refuse to provide necessary identification information for a financial transaction, we may not be able to process your request. We are committed to transparently informing you about the consequences of not providing personal data, so you can make informed decisions regarding the information you choose to share.
- Indirect collection happens in certain instances where we may collect data from other sources, including but not limited to publicly available sources (such as public register and databases, where permitted by law), third-party service providers or other business partners that assist us in providing and improving our services. Regardless of the source, we ensure that all data collected is processed in accordance with this Privacy Notice and applicable personal data protection legislation. We are committed to transparency and will inform you of the sources from which your data is collected, as well as the purposes for which it is used.
- Automatic collection may happen when you (a) submit queries through our website, app or through our social networking accounts, (b) use our website (then data is collected with the help of cookies and similar technologies), (c) publish public posts on social networking platforms that we are administering or during your similar activities.
2.2.Why we collect your data. We collect and process your data in order we would be able to properly provide our services to you and to abide our statutory obligations. In all cases we process your personal data only if and to the extent that at least one of the following bases applies:
- you have given us a consent to the processing of your personal data for one or more specific purposes;
- processing is necessary for the performance of a contract concluded between you and us or to take steps at your request prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which we, as data controller, are subject to;
- processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms, which require protection of personal data.
2.3.Types of data we may collect. We may collect and further process the following data of yours:
| Purpose | Your data | Legal ground for processing |
|---|---|---|
| Provision of payment services |
|
|
| Access to the individual client’s account |
|
|
| Prevention of money laundering and terrorism financing & fraud; implementation of sanction regime |
|
|
| Administration of clients’ requests |
|
|
| Direct marketing |
|
You may opt-out of these messages at any time |
| Visiting our website |
|
|
2.4.Cookies: we use cookies, which are small text files that a website server stores on your hard drive. This allows us to collect certain information from your web browser. You can find more information on how we use cookies in our Cookies Policy.
3.How we share your data
3.1.Whom we share your data with and why. We may share your personal data with other persons for purposes consistent with this Privacy Notice:
- Jiná members of the group of companies to which we belong.
- Service providers, also known as data processors, who assist in processing your personal data. These may include companies providing data storage, server and/or communication services, software development and maintenance, marketing services, online traffic and website analysis, statistics services, and other service providers involved in delivering our services.
- Our business partners when engaging in providing specific services to them.
- Third parties such as courts, legal or audit service providers, etc., in compliance with legal requirements.
3.2.Safeguards when sharing your data. We transfer your data to third parties only after establishing necessary legal agreements with them and ensuring that they are capable of processing personal data in compliance with the requirements of applicable personal data protection legislation. We take measures to ensure that our data processors have appropriate technical and organizational measures in place. Generally, we do not transfer personal data outside the European Economic Area.
4.Automated decisions about you
4.1.Automated decision-making processes. Depending on our products or services you use, we may employ automated decision-making processes (also referred to as profiling) concerning you. This entails utilizing technology to assess your personal circumstances and other factors to anticipate risks or outcomes. We use automated decision-making to ensure the efficient operation of our services and to guarantee that decisions are equitable, consistent, and founded on accurate information. For example, we may utilize automated decisions related to account openings (including KYC, anti-money laundering, and sanctions checks, as well as identity and address verification), as well as fraud detection (by monitoring accounts for fraudulent activities and financial crimes).
4.2.Compliance and transparency. Regardless of the use of automated decision making in certain cases, we ensure that all data collected is processed in accordance with this Privacy Notice and applicable data protection laws. We are committed to transparency and will provide information on requests you have regarding this matter. In cases where we reach automated decisions concerning you, you retain the right to request a manual review conducted by a human being (for further details on this right, please refer to the section below).
5.Your rights and choices
5.1.Your rights regarding your data. You have the following rights established by the GDPR:
- Right to be informed: you have a right to be informed about your data processing, including purposes and legal grounds of processing.
- Right of access: you have a right to get information as to whether personal data concerning you is being processed, and, if that is the case, access to your personal data and defined information about such data processing.
- Right of rectification: you have the right to request to rectify inaccurate personal data concerning you or complete the incomplete personal data.
- Right to erasure (“right to be forgotten”): you have the right to request the erasure of your personal data in such cases: (a) the personal data are no longer necessary; (b) you withdraw consent on which the processing is based and where there is no other legal ground for the processing; (c) you object to the processing and there are no overriding legitimate grounds for the processing; (d) your personal data has been unlawfully processed; (e) your personal data has to be erased for compliance with a legal obligation.
- Right to restriction of processing: you have a right to request the restriction of processing of your personal data in such cases: (a) you contest the accuracy of the personal data – for a period enabling us to verify the accuracy of the personal data; (b) the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead; (c) we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defence of legal claims; (d) you have objected to processing pending the verification whether our legitimate grounds override those of yours, as data subject.
- Right to data portability: you have a right to receive the personal data which you have provided to us, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller in such cases: (a) the processing is based on consent or on a contract; and (b) the processing is conducted by automated means. You have a right to have the personal data transmitted directly from us to another controller, where technically feasible.
- Right to object: you have a right to object at any time to processing of personal data concerning you which is based on legitimate interest or public interest, including profiling. Where personal data are processed for direct marketing purposes, you have a right to object at any time to such processing of personal data. You will always have a right to revoke your consent to process your personal data. If we have no other legal basis for the processing of personal data, we will cease processing of personal data immediately after the cancellation/revocation of the consent provided by you.
- Rights in relation to automated individual decision making, including profiling: you have a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
5.2.How you can implement your rights. To exercise your rights regarding your personal data, please contact us using the contact information provided in this Privacy Notice. Upon receiving your written request, we will take the necessary actions to promptly and properly address your requests related to data processing. We aim to respond to your request immediately, and in any case, no later than within 1 month. In certain circumstances, such as when dealing with an exceptionally large amount of data, we may extend this timeframe by an additional 2 months. Generally, we handle all requests free of charge. However, if your request is clearly unfounded or excessive, for example, due to its repetitive nature, we may consider (a) charging a reasonable fee based on actual administrative costs, or (b) refusing to act on the request. Additionally, you have the right to lodge a complaint with the State Data Protection Inspectorate (located at L. Sapiegos str. 17, 10312, Vilnius, the Republic of Lithuania; email: ada@ada.lt). For more information, please visit their website.
6.How we protect your data
6.1.Our commitment to keeping your data safe. We take the protection of your personal data very seriously and consistently implement all necessary organizational and technical measures to ensure the confidentiality, integrity, and availability of your personal data.
6.2.Measures we take to protect your data. To safeguard your personal data, we undertake the following measures, including but not limited to:
- documenting all processing of personal data in data security policies and procedures;
- clearly defining internal roles and responsibilities related to the processing of personal data;
- ensuring access control, change management, and asset management;
- prior to engaging third parties as data processors, we define, document, and reconcile all necessary formalities with such data processors;
- establishing basic procedures to be followed in the event of an incident or personal data breach to ensure the necessary continuity and availability of personal data processing by IT systems;
- ensuring that all employees understand their responsibilities and obligations regarding the processing of personal data;
- implementing measures for the protection of servers, databases, workstations, and network and software security;
- applying backups and data recovery practices to mitigate the risk of data loss or unauthorized access.
7.Data retention
7.1.Why we retain your data. We retain your data for specific purposes outlined in this Privacy Notice and as required by law. One reason for retaining your information is to ensure that we can provide you with the services you expect from us effectively. Additionally, we may retain your data to comply with legal obligations, resolve disputes, enforce agreements, and protect our rights.
7.2.How long we keep your data. We keep data in a form, which permits identification of data subjects for no longer than it is necessary for the purposes for which personal data is processed (storage limitation principle). As a general rule we store data for the period of 8 (eight) years commencing from the end of the business relationships with you, unless specific retention limits are defined in legal acts regulating anti-money laundering, archiving, employment, tax, data protection, etc. We ensure that data which retention period is completed is no longer processed. At the end of the defined retention period, we either destroy personal data or anonymize it.
8.Updates to our Privacy Notice
8.1.How we notify you of changes. We reserve the right to update this Privacy Notice periodically. In the event of any changes to this Privacy Notice, we will notify you in advance and publish the updated version on our website.
8.2.Your right to review updates. You have the right to review any updates and changes made to our Privacy Notice. We encourage you to regularly check our website for the latest version of our Privacy Notice. If you have any questions or concerns about the updates, please do not hesitate to contact us.
9.Kontakt
9.1.How to reach us with questions or concerns. If you have any questions, concerns, or requests regarding our privacy practices or the information outlined in this Privacy Notice, please feel free to contact us. You can reach us by e-mail: info@paymont.eu or by phone at +420 296 187 870.
10.Final provisions
10.1.This Privacy Notice for Customers, its amendments or supplements enter into force upon their approval by the decision of Board, unless it specifies another date of entry into force of the Privacy Note for Customers, its amendments, or supplements.
10.2.The Privacy Notice for Customers is reviewed annually or more frequently in case an immediate need (e.g., in case of legislative changes) is determined.
History of amendments
| Version | Date | Short explanation of the amendment |
|---|---|---|
| 1. | 2023-12-20 | First version |
| 2. | 2024-12-16 | Second version, periodic update, no changes needed, except for corrections of minor typos |
| 3. | 2025-12-18 | Third version, periodic update, minor changes only (such as address update, etc.), Art. 10.3. deleted as no longer applicable |