Privacy Policy

This Privacy Policy ("Policy") describes how Arbor Services OOD d.b.a. Empayo ("Empayo," "we," "us," or "our") collects, uses, shares, and stores personal data. This notice is issued pursuant to the EU General Data Protection Regulation (GDPR) and applies to you if you are located in the European Economic Area (EEA). Furthermore, this Policy delineates the rights you hold as a data subject, including the right to object to certain uses of your Personal Data by us.

The term "Personal Data" refers to any information that pertains to a specific person who can be identified or is identifiable. It encompasses both the information you provide to us and the data we gather about you, including details obtained when you interact with our Services (e.g., device information, IP address).

The term "Services" encompasses the products and services offered by Empayo that fall within the scope of this Policy. Our "Business Services" refer to the Services provided by Empayo to entities ("Business Users") who directly or indirectly share with us "Customer" Personal Data related to their own business and activities.

The term "Sites" refers to Empayo.com and other websites, applications, and online services that are specified by Empayo as being included in this Policy. When we mention "Services," we are collectively referring to Sites, Business Services, and End User Services provided by Empayo.

Depending on the specific situation, the term "you" can refer to different individuals: the End User, the Representative, or the Visitor.

● If you are directly utilizing an End User Service for personal purposes, such as signing up for Link or making a payment to Empayo in your individual capacity, we will address you as a "Customer"

● If you are acting on behalf of an existing or potential Business User (e.g., as a company founder, an account administrator for a company that is a Business User, or a recipient of a payment from a Business User through Empayo), we will refer to you as a "Representative."

● If you visit a Site without logging into a Empayo account or engaging in any communication with Empayo, we will identify you as a "Visitor." For instance, if you send Empayo a message seeking additional information because you are contemplating becoming a user of our products, you will be categorized as a Visitor.

Depending on the specific activity, Empayo assumes the role of a "data controller" and/or "data processor (or service provider)." For further details regarding this distinction and to learn about the Empayo entity responsible for the matters outlined in this Policy, please refer to the further information:

1. Collection and Usage of Personal Data

Our collection and utilization of Personal Data are contingent upon your role as a Customer, Representative, or Visitor, as well as the specific Services involved. For instance, if you are a business owner, we may gather Personal Data to facilitate the onboarding process for your business.

In this Privacy Policy, the term "Transaction Data" encompasses Personal Data, which may consist of details such as your name, email address, phone number, address, identification document number, and business information.

We collect and process various personal data about you, including but not limited to the following:

● Information you provide: This includes personal data you provide to us when completing forms on our website. The information may include your name, email address, phone number, country, full company information. Additionally, you may provide contact details, address, financial information, transaction information and other bank details to facilitate contractual obligations or payments related to goods or services provided to us.

● Correspondence and communications: If you contact us via email, we maintain records of the correspondence or communication.

● Website and communication usage details: We gather information regarding your visits to our websites, which includes data collected through cookies and other tracking technologies. This information encompasses your IP address, domain name, browser version, operating system, browser language, access time, traffic data, location data, web logs, website interactions, and referring website addresses. We may also utilize these technologies to track email openings and link clicks.

We ensure that we have a valid legal basis for processing your personal data. This may involve relying on your consent, the necessity of processing to fulfill a contract with you, protection of your vital interests or those of others, or compliance with legal obligations. Additionally, we may process your personal data based on our legitimate interests, taking into account your rights and interests.

To effectively communicate with you and conduct our business, including meeting your requests, we may utilize your personal data in the following ways:

● Responding to your contact requests: We use your personal data to promptly address and respond to any inquiries or requests you submit to us.

● Proposal and business requests: If you express interest in conducting business with us, we use your personal data to provide you with relevant information, respond to your requests for proposals or offers, or contact you regarding potential business opportunities.

● General communication: We may use your personal data to engage in communication with you or with relevant internal and external parties concerning matters related to you.

● Fulfillment of contractual obligations: When necessary, we process your personal data to fulfill our obligations arising from any agreements or contracts entered into between you and us.

Our use of your personal data for these purposes is typically based on your informed consent, contractual necessity (where processing is essential to fulfill our obligations), or our legitimate interests (where we have valid business interests that require the use of your personal data).

Please note that we prioritize protecting your privacy rights and interests throughout these data processing activities.

Processing methods:

Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, examination, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, sampling, erasure, or destruction.

2. Legal bases for processing data

For the purposes of the General Data Protection Regulation, we rely upon a number of legal bases to enable our processing of your Personal Data.

a. Contractual and Pre-Contractual Business Relationships.: In order to establish business relationships with potential Business Users and fulfill our contractual obligations, we process Personal Data. These activities include:

● Creation and management of Empayo accounts: We collect and manage Personal Data to create and oversee Empayo accounts, including evaluating applications to initiate or expand the utilization of our Services.

● Accounting, auditing, and billing: Personal Data is processed for accounting, auditing, and billing purposes.

● Payment processing: We process payments, which includes activities such as fraud detection, loss prevention, optimization of valid transactions, communication regarding payments, and providing customer service related to payments.

b. Legal Compliance: To comply with our obligations related to fraud monitoring, prevention, and detection, as well as legal requirements associated with identifying and reporting illegal and illicit activities, such as Anti-Money Laundering (AML) and Know-Your-Customer (KYC) obligations, and financial reporting, we process Personal Data. This includes:

● Identity verification: We process Personal Data to verify the identity of individuals and entities, as required by law. For instance, we may need to record and verify a User's identity to meet legislative requirements aimed at preventing money laundering and financial crimes.

● Reporting obligations: We may be obligated by law to report our compliance with these regulations to third parties. Additionally, we may be subject to third-party verification audits to ensure our adherence to these obligations.

These legal compliance activities are necessary for us to fulfill our obligations imposed by applicable laws and regulations, and they may involve the processing of Personal Data.

c. Consent: In certain instances, we may rely on your consent to collect and process Personal Data, particularly in relation to how we communicate with you and provide our Services, including Link, Financial Connections, and Identity. When we process data based on your consent, you have the right to withdraw your consent at any time. Please note that withdrawing your consent does not affect the lawfulness of any processing conducted prior to the withdrawal, which was based on your consent.

3. Data protection rights and data processing period

Depending on your location and applicable law, you may have the following rights concerning the Personal Data that Empayo controls about you:

● You have the right to request confirmation of whether Empayo processes Personal Data about you and, if so, to obtain a copy of that Personal Data.

● You have the right to request that Empayo correct or update any of your Personal Data that is inaccurate, incomplete, or outdated.

● In certain circumstances provided by law, you have the right to request that Empayo delete your Personal Data.

● You have the right to request that Empayo limit the use of your Personal Data in certain situations, such as while Empayo evaluates another request you have submitted (including a request to update your Personal Data).

● Where technically feasible, you have the right to request that Empayo transfer your Personal Data to another company.

● If the processing of your Personal Data is based on your consent, you have the right to withdraw that consent at any time.

● If Empayo processes your information based on its legitimate interests, you may have the right to object to such processing. Empayo will cease processing your information unless it has compelling legitimate grounds or legal reasons to continue.

Please note that the availability and scope of these rights may be subject to local laws and regulations.

3.1 Processing Period:

For individuals or companies who are citizens or registered in European Union countries, or who have been verified to work with European Union citizens or companies, the processing period for Personal Data ends after 5 (five) years from the termination of the interaction between the Customer and Us. However, upon request from the competent authority, the Personal Data storage period may be extended from 5 (five) to 7 (seven) years.

For individuals or companies who are not citizens or registered in European Union countries, and who have not been verified to work with European Union citizens or companies, there is no specific time limit for the processing of Personal Data. The Controller and its Processors may continue to process the Personal Data even after the termination of the interaction between the Consumer and Service.

In addition to the above, I confirm that I have been informed of the following information during the duration of this consent:

Legal basis for the Personal Data processing: General Data Protection Regulation of April 27, 2016 (GDPR);

Identity and Contact Details of the Controller

Arbor Services OOD d.b.a. Empayo, whose registered office is located at 11 Prof. Hristo Danov street, ent. E, office 6, 1700 Sofia, Bulgaria, is the data controller.

Data Protection Officer

Our Data Protection Officer, Alexandru Dragoi, can be reached at info@empayo.com.

3.2 Cookies and Browsing Information

To facilitate users' navigation on our website, Empayo uses cookies and other storage methods with similar functionality (hereinafter "Cookies").

Cookies are small pieces of information that are saved onto the device from which the Service is accessed and which allow Empayo to provide certain services such as the ability to recall certain aspects of your most recent content search so that subsequent searches will be faster. Cookies can be removed from your device if you so desire. Most browsers will automatically accept Cookies. However, you can change the settings of your device to prevent Cookies being saved or to remove Cookies which may already be present on your device. Most of the services of our Website can be used without Cookies.

Empayo uses its own Cookies and Third Party Cookies as follows:

● Cookies which are strictly necessary to provide a service expressly requested by the user: Specifically, Empayo uses the necessary cookies to save a User's login.

● Session Cookies: These Cookies are saved and valid for a fixed period of time only, that is, until the user quits navigating or using the Service. These Cookies do not permanently save any information onto your device.

● Navigation Cookies: The primary objective of these Cookies is to avoid offering you recommendations which are unrelated to your areas of interest, as well as to provide you with targeted and personalized commercial offers. Navigation Cookies function by temporarily tracking your Internet navigation. You can remove this type of cookie before starting a navigation session in the Service

You can configure your browser to accept or reject all Cookies by default, or to receive an on-screen notification each time a Cookie request is made at which point you can decide whether or not to allow said cookie to be saved onto your hard drive. To this end, we recommend that you consult the help section of your browser for information on how to change the settings that you currently use or use browsers in “incognito” mode. Should you decide to reject all Cookies, you will continue to be able to navigate the Platform but your access to certain sections may be limited. For more information regarding how to manage cookies, we recommend you visit http://www.aboutcookies.org

3.3 Third parties, to whom the Controller and/or the Processor may transfer the Customer Personal Data for processing for the purposes and in the ways indicated in this Consent:

3.3.1. Centers for personal data processing and storing (data processing centers, data centers):

Provided Personal Data: All Personal Data listed in this Consent;

Personal Data provision purpose: Customer/Visitor Personal Data safe storage;

List of data processing centers:

OVH -Becket House, 1 Lambeth Palace Road, London SE1, United Kingdom

3.3.2. State authorities authorized to receive personal data; auditors, consultants, accountants, notaries, lawyers (if necessary):

Provided Personal Data: All Personal Data listed in this Consent;

Personal Data provision purpose: The Controller provides the Customer Personal Data solely in case of the disclosure requirement to authorized official authorities or persons in accordance with the applicable law, order, decree, court decision and in the minimum necessary extent.

3.3.3. Our employees who are in contact with the Customer or who are responsible for marketing, customer support, IT department who are responsible for providing support to our Customer, analyzing and improving our Website and Services.

Validity period of the consent:

a. If the Customer is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries, this Consent is valid for the minimum required period of the Customer Personal Data processing, namely within 5 (five) years from the date of the termination of interaction between the Customer and Empayo. The Personal Data storage period may be extended from 5 (five) to 7 (seven) years from the date of the termination of interaction between the Customer and Empayo;

b. If the Customer is not a citizen or a company registered in a European Union country and has not been verified to work with citizens or companies registered in the European Union countries, the Personal Data processing period for such Customer is unlimited and Customer consents that such Personal Data may be processed by the Controller and its Processors after the termination of the Customer Agreement between Customer and Empayo.

Special rules for Customers that are citizens of European Union countries or have been verified to work with citizens of the European Union countries:

a. Consent withdrawal: If the Customer is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries, the Controller is obliged to comply with the GDPR Directive on the specified above minimum period for such Customer Personal Data storage. The Personal Data Subject understands, agrees and confirms that the right to withdraw this Consent cannot be applied prior to the mandatory Personal Data storage period expiration in accordance with the provisions of the GDPR Directive;

If the Customer is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries has not withdrawn this Consent after five (5) years following to the termination of interaction between the Customer and Empayo. in the Customer Agreement framework, the Controller, provided that the competent authority does not require the extension of the Personal Data processing to 7 (seven) years period, at the end of this five-year period erases the personal data by irrevocable destruction, and also informs all third parties to whom the Controller and/or Processors transferred the Customer Personal Data regarding such erasure, and demands the implementation of similar actions on their part.

b. Customer that is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries is also notified that at any time of the Consent validity period he has the right to:

1. Access the Personal Data, i.e. has the right to request and obtain from the Controller a confirmation as to whether or not personal data are being processed / access to Personal Data and the following information: the purposes of the processing; the categories of personal data concerned, all possible recipients of the Personal Data, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

2. Obtain from the Controller without undue delay the rectification of inaccurate Personal Data, the completion of Customer’s incomplete Personal Data, as well as require the receipt of notifications from the Controller regarding any corrections, additions, erasures or limitations to the Personal Data processing;

3. Erasure of the Personal Data (“right to be forgotten”) if: personal data no longer necessary in relation to the purposes for which they were collected or otherwise processed; the Personal Data Subject withdraws the Consent, and there is no other legal ground for the processing; the Personal Data Subject objects to the Personal Data processing and there are no overriding legitimate grounds for the processing; Personal Data has been unlawfully processed; Personal Data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; Personal Data has been collected in relation to the offer of information society services to a child (taking into account the provisions of Article 8 (1) of GDPR);

4. Obtain restriction of Personal data processing if: the accuracy of the personal data is contested by the Customer, for a period enabling the Controller to verify the accuracy of the personal data; the processing is unlawful and the Customer opposes the erasure of the personal data and requests the restriction of their use instead; the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Customer for the establishment, exercise or defense of legal claims; the Customer has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Customer;

5. Personal Data portability, i.e. to receive the Personal Data, which Customer has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller;

6. Object to Personal Data processing, and as result the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the Personal Data processing which override the interests, rights and freedoms of the Customer or for the establishment, exercise or defense of legal claims (where personal data is processed for direct marketing purposes, the Customer shall have the right to object to processing of personal data for such marketing, and the Controller shall no longer process the Personal Data for such purposes);

7. File a complaint regarding the Controller/Processors actions to the supervisory authority.

Refusal to grant the Consent: Personal Data Subject hereby confirms that he has been notified that the provision of this Consent is not mandatory, and the Customer may at any time refuse it. However, the Consent granted by the Customer is a requirement necessary for the conclusion of the Customer Agreement between the Customer and Empayo. In the case of absence of the Customer signed Consent, the contractual relationship between the Customer and Empayo does not arise.

3. 4. Security: We have implemented cutting-edge technical and organizational security measures to protect the data in our possession from any kind of unfortunate incidents as accidental data loss, misuse, alteration, disclosure, destruction or unauthorized access, as well, access of your data is limited only to authorized personnel that will process your data subject to a duty of confidentiality. However, no data transmission on the internet can be guaranteed 100% to be safe from intrusion but we have a set of procedures to follow in case we need to deal with any suspected or actual data security breach. In such case, we will notify you right away and the supervisory authority of a suspected breach where we are legally required to do so.

3.5 Data collecting from Minors: Empayo has a strict policy of not knowingly collecting any Personal Data or information from individuals who are under the age of eighteen (18) years. In the event that we become aware of any personal information collected from a minor, we will promptly delete all such information from our database.

3.6: Customer Rights, Queries, and Complaints

As a customer, you have certain rights pertaining to your personal data and the ability to address any concerns or complaints.

- You have the right to request modifications or rectifications to your personal data stored in our database, such as contact and billing information. To do so, you can contact us at tech@Empayo.com or open a support ticket through your customer dashboard.

- You have the right to restrict, refuse, or revoke your consent for the processing of your Personal Data. However, please note that terminating the processing of your Personal Data may make it difficult or even impossible for us to provide services to you.

- You can exercise your right to data portability by requesting a copy of your Personal Data, provided you have not already deleted it. This copy will be provided to you in a structured, common, and machine-readable format. Additionally, you can request information about all the Personal Data we have stored about you. To make these requests, please contact us at tech@Empayo.com.

- If you have any questions, concerns, or complaints regarding our data collection and handling practices, we encourage you to reach out to us via email at info@empayo.com.

4. Changes to Our Privacy Notice

Any changes we make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by email.

If you have any questions, concerns or complaints about our Privacy Notice, our privacy practices, or our data processing activities, you can contact our Data Protection Officer.

PROCESSING OF PERSONAL DATA ACCORDING TO GDPR AGREEMENT

This Processing of Personal Data According to GDPR Agreement ("Agreement") sets out the specific rules regarding the processing of personal data submitted by the Beneficiary, as a Client or Customer, to Arbor Services OOD d.b.a. Empayo ("Empayo," "we," "us," "our"), as a controller of your personal data, in accordance with Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("GDPR"), as well as any subsequent national legislation on the protection of personal data.

This Agreement is accompanied by and must be interpreted in conjunction with our Privacy Policy and the Terms and Conditions. By accepting this Agreement, you acknowledge that you have read, understood, and agreed to the processing of your personal data as outlined herein.

1. Definitions

a. "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").

b. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

2. Purpose and Lawfulness of Processing

a. We will process your Personal Data for the purposes of providing our services, including but not limited to payment processing, acquiring services, payout services, and related activities.

b. The processing of your Personal Data is necessary for the performance of our contractual obligations with you, compliance with legal obligations, protection of vital interests, consent, and legitimate interests pursued by us or third parties.

3. Categories of Personal Data

We may process the following categories of Personal Data, as provided by you or obtained during the use of our services:

a. Identity and contact details. b. Financial information. c. Transaction information. d. Any other information necessary for the provision of our services and fulfillment of contractual obligations.

4. Data Retention

We will retain your Personal Data for as long as necessary to fulfill the purposes for which it was collected, as well as to comply with legal, accounting, or reporting requirements.

5. Data Subject Rights

As a Data Subject, you have certain rights under the GDPR, including but not limited to:

a. The right to access your Personal Data held by us. b. The right to rectify inaccurate or incomplete Personal Data. c. The right to erase Personal Data under certain circumstances. d. The right to restrict the processing of your Personal Data. e. The right to object to the processing of your Personal Data. f. The right to data portability, where applicable. g. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6. Security Measures

We implement appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of your Personal Data, in accordance with the requirements of the GDPR.

7. Data Transfers

Your Personal Data may be transferred to and stored in countries outside of your own, including countries that may have different data protection laws from your jurisdiction. We will ensure that any such international transfers comply with the applicable data protection laws and regulations.

8. Contact

For any inquiries or requests regarding the processing of your Personal Data or to exercise your rights as a Data Subject, please contact our Privacy Officer at info@empayo.com.

9. Subprocessing

We may engage subprocessors to assist in the processing of your Personal Data. We will ensure that any subprocessor we engage provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of the GDPR.

10. Data Breach Notification

In the event of a personal data breach, we will notify you and the relevant supervisory authority in accordance with our obligations under the GDPR. We will take all necessary measures to mitigate the impact of the breach and prevent any further unauthorized access or disclosure.

11. Data Protection Impact Assessment (DPIA)

Where required under the GDPR, we will conduct a DPIA to assess the potential risks and impacts of our data processing activities on the protection of your Personal Data. We will take appropriate measures to address any identified risks and ensure the protection of your rights and freedoms.

12. Changes to the Agreement

We reserve the right to modify or amend this Agreement at any time. Any material changes will be communicated to you through appropriate means. By continuing to use our services after the effective date of the amended Agreement, you acknowledge and accept the modified terms.

13. Governing Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the jurisdiction in which Empayo is located. Any disputes arising out of or relating to this Agreement shall be subject to the exclusive jurisdiction of the courts in that jurisdiction.

E-WALLET DATA PROCESSING AGREEMENT

This E-Wallet Data Processing Agreement ("Agreement") is entered into between Arbor Services OOD d.b.a. Empayo ("Empayo," "we," "us," "our") and the Beneficiary (“you”), as the Client or Customer, collectively referred to as the "Parties," and sets out the specific rules and obligations regarding the processing of personal data submitted by the Beneficiary to Empayo as a data controller, in accordance with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), the Personal Information Protection and Electronic Documents Act (PIPEDA), the UK Data Protection Act, and the California Consumer Privacy Act (CCPA).

1. Definitions

a. "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject").

2. Purpose and Lawfulness of Processing

a. Empayo will process the Personal Data provided by the Beneficiary for the purpose of providing e-wallet services, including payment processing, acquiring services, payout services, and related activities.

b. The processing of Personal Data is necessary for the performance of the contract between Empayo and the Beneficiary, compliance with legal obligations, protection of vital interests, consent, and legitimate interests pursued by Empayo or third parties.

3. Categories of Personal Data

Empayo may process the following categories of Personal Data, as provided by the Beneficiary or obtained during the use of the e-wallet services:

a. Identity and contact details. b. Financial information. c. Transaction information. d. Any other information necessary for the provision of e-wallet services and fulfillment of contractual obligations.

4. Data Retention

Empayo will retain the Personal Data for as long as necessary to fulfill the purposes for which it was collected, as well as to comply with legal, accounting, or reporting requirements.

5. Data Subject Rights

As Data Subjects, Beneficiaries have certain rights under the applicable data protection laws, including but not limited to:

a. The right to access and rectify Personal Data. b. The right to erase Personal Data under certain circumstances. c. The right to restrict the processing of Personal Data. d. The right to object to the processing of Personal Data. e. The right to data portability, where applicable. f. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

6. Security Measures

Empayo will implement appropriate technical and organizational measures to ensure the security, confidentiality, and integrity of the Personal Data, in accordance with the requirements of applicable data protection laws and regulations.

7. Subprocessing and Third-Party Services

Empayo may engage subprocessors to assist in the processing of Personal Data. Empayo will ensure that any subprocessor it engages provides sufficient guarantees to implement appropriate technical and organizational measures to meet the requirements of applicable data protection laws.

8. Data Transfers

Empayo may transfer Personal Data to countries outside the Beneficiary's jurisdiction, including countries that may have different data protection laws. Empayo will ensure that any such international transfers comply with the applicable data protection laws and regulations.

9. Data Breach Notification

In the event of a personal data breach, Empayo will notify the Beneficiary and the relevant supervisory authority in accordance.

BY USING OUR SERVICES, you, the user, are accepting these terms and entering into this agreement with:

Arbor Services OOD d.b.a. Empayo (hereinafter referred to as "Empayo"), whose registered office is located at 58 Debar str., fl. 7, 9000 Varna, Bulgaria

Last Updated: 10.10.2024