ValorPay UAB Privacy Policy

1. Scope

We take our Privacy Policy very seriously and kindly ask you to review this Privacy Policy carefully as it contains important information on who we are, how and why we collect, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.

2. Who we are and how to contact us

ValorPay UAB is a payment institution established in the Republic of Lithuania (registration code 304881005, address Konstitucijos av. 7 Vilnius, Lithuania) and licenced by the Bank of Lithuania (authorization code LB000492). The company provides virtual payment services for corporates.

This website is operated by ValorPay UAB.

We collect, use and are responsible for certain personal information about you. When we do so, we are regulated under the EU General Data Protection Regulation (GDPR) in relation to services and products we offer to individuals in the European Economic Area (EEA), or under the Data Protection Act 2018 (DPA 2018) in relation to services and products we offer to individuals in the United Kingdom. Under the mentioned Data Protection Regulations we are responsible as ‘controller’ of that personal information for the purposes of those laws.

If you wish to contact us about the processing of your personal data, please contact our Data Protection Officer at dpo@valorpayonline.com.

3. The data we collect and process

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. We collect the following data:

• Personal identification information (name, surname, address, e-mail address, telephone number, etc.).
• Your company details.
• Additional data required by money laundering and terrorist financing prevention legislation (personal identification number and/or date of birth, citizenship, facial image, video and sound recording of the verification process, identity document data, copies of the documents provided (e. g., financial information), details of the device used, IP address, etc.).
• Transaction data (billing information, transaction amount, date and time, beneficiary or sender, card information, etc.).
• Your communication with us (correspondence by email or conversations by phone).

4. How your personal data is collected

In many cases you yourself provide us with your personal data:

• During the registration process. The data you provide at registration is necessary for us to enter into a business relationship.
• When using our services (e.g., data on the transactions made).
• When communicating with us (customer service, interactions via social media platform, etc.).

We may also receive your data from other sources:

• When it is compliant with the applicable law, we receive it from third parties such as official registers and databases or our partners who participate in providing services to you (e. g. providers of client identification and verification services, sanction screening providers, etc.).
• In order to carry out enhanced due diligence procedures we also collect publicly available information about you (information on the internet, social media, etc.).
• From our clients (legal entities) in response to our legitimate requests.

5. How and why we use your personal data

Processing of your personal data is based on one of the following legal grounds:

• Consent. Where you specifically consented to us processing your personal data (e. g. for marketing purposes).
• Performance of the contract. Certain personal data is necessary to properly provide you with our services (e. g. for making transactions, receiving customer service, etc.).
• Legal obligation. We are obliged to process certain personal data according to the legal acts applicable to us (e. g., for purposes of prevention of money laundering and terrorist financing, fraud or other crime, for tax and accounting, for providing requested information to supervisory authorities, etc.).
• Legitimate interest. Where we have justification for the processing, it is necessary to achieve our goals and is balanced against your fundamental rights and freedoms (e. g. in case of potential or ongoing court proceedings).

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out assessment when relying on legitimate interests, to balance our interests against your own.

6. Profiling

Profiling carried out by ValorPay UAB involves processing of personal data by automated means for the purposes of carrying out Know-your-client (KYC) procedures, risk management and monitoring of transactions, including prevention of fraud, money laundering and terrorist financing. It is based on legal obligations applicable to the company as a payment institution.

7. Who we share your personal data with

In some cases, where we have a duty to disclose it or if it is required for the provision of our services, we might share your personal data with third parties.

We share personal data with:

• Third parties who are involved in providing or supporting our services (e. g. our partner banks).
• Regulators and supervisory authorities (e. g., for purposes of crime prevention, compliance with requirements for financial market participants, tax and accounting, etc.).

We do not share your information with other organisations for their benefit, but do engage appropriately vetted sub-processors as our suppliers, or providers of data processing services to us in order to facilitate the delivery of our services and/or products to you. We only allow our service providers to handle your personal data if we are satisfied that they take appropriate measures to protect your personal data. Additionally, we impose contractual obligations on service providers to ensure that they can only use your personal data to provide services to us and you.

In general we only transfer data to sub-processors who are in the EEA, or in a jurisdiction for which the European Commission has adopted an adequacy decision, or which we deemed to offer an adequate level of data protection. However, where it might be necessary to transfer your personal data to third countries, we shall ensure that appropriate protection measures are applied. We shall use legal mechanism, such as standard contractual clauses as indicated in GDPR to implement the cross-border transfer of your personal data or implement security measures like anonymization on the data before the cross-border data transfer

8. Data Security

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. We make sure that those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

Moreover, we have procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected data security break where we are legally required to do so.

We only retain personal data about you for as long as we need it, or are required to do so by applicable regulations. If we are processing your personal data due to a contract, we will retain this information only for as long as the contract and any terms or conditions of it that rely on the personal data are in force. We will retain your contact details for communicating with you for other purposes.

We employ appropriately robust policies, controls, and procedures to safeguard personal data that we hold, and we fully comply with all applicable data protection requirements.

9. Data Retention

We will not process your personal data for longer than necessary for the objectives of the processing.

According to applicable legislation of the Republic of Lithuania, ValorPay UAB is required to keep your personal data related to your identification and services provided for eight years after our business relationship with you ends.

Correspondence with you shall be stored for five years from the date of termination of transactions or business relationships with you.

These time limits may be additionally extended for up to two years upon reasonable instruction of a competent authority.

We may keep your personal data for longer because of a potential or ongoing court claim or another legal reason.

Once the relevant time period has expired and the personal data is no longer required for the abovementioned reasons, we will delete your data.

10. Your rights

Your rights under GDPR and DPA 2018 are summarised below.

You can contact us to exercise any of these rights, apart from the right to complain to a “Supervisory Authority”, by writing to the Data Protection Officer by email to dpo@valorpayonline.com. You will need to provide evidence of your identity.

We will respond to your request in a timely manner and within one month. Occasionally it may take us longer than a month to provide an answer if you have made a number or requests or if your request is particularly complex. In such instances, we will notify you and keep you updated. We may charge a fee or refuse to act on your request if it is manifestly unfounded, excessive, or repetitive.

• The right to access. You have the right to request copies of your personal data. If you wish to obtain confirmation as to whether or not personal data concerning you is being processed by us, you can request a free copy of it.
• The right to rectification. You have the right to request that we correct any information you believe is inaccurate.
• The right to erasure. You have the right to request that we erase your personal data (subject to certain conditions).
• The right to restrict processing. You have the right to request that we restrict the processing of your personal data (subject to certain conditions).
• The right to data portability. You have the right to request that we transfer the data that we have collected to another organization, or directly to you (subject to certain conditions).
• The right to object to processing. You have the right to object to processing of your personal data (subject to certain conditions).

Where you have given us your explicit consent for the processing of your personal data, you also have the right to withdraw this consent at any time by contacting us at dpo@valorpayonline.com.

11. How to complain

We hope that our Data Protection Officer can resolve any queries or concerns you may have about our use of your personal data.

You also have a right to lodge a complaint with your national Data Protection Authority:

• In the United Kingdom – ICO (https://ico.org.uk/global/contact-us/).
• In the EU – please see a list provided (https://edpb.europa.eu/about-edpb/about-edpb/members_en).

12. Changes to this Privacy Policy

We may change this Privacy Policy from time to time and will always publish the latest one on our website. This version was last updated on 5th March 2023.