Personal Data Processing

Privacy Policy of Mercurius Partners s.r.o. (hereinafter only “Company”)

1. GENERAL REPRESENTATIONS 2
2. BUSINESS AND LEGAL INFORMATION ABOUT THE COMPANY 2
3. DEFINITION OF PERSONAL DATA COLLECTED BY THE COMPANY ABOUT ITS CLIENTS. 3
4. HOW DOES THE COMPANY COLLECT PERSONAL DATA 4
5. HOW ARE PERSONAL DATA USED BY AUTHORIZED EMPLOYEES OF THE COMPANY: 6
6. DISCLOSURE AND SHARING PERSONAL DATA OF CLIENTS WITH OTHER INSTITUTIONS 8
7. MARKETING 9
8. INTERNATIONAL DATA TRANSFERS 9
9. STORING DATA
10. RIGHTS OF CLIENTS REGARDING PERSONAL DATA 10
11. SECURITY AND STORAGE OF PERSONAL DATA 10
12. MINORS 11
13. RIGHT OF OBJECTION 11
14. POLICIES REGARDING COOKIES AND OTHER ACCESS TECHNIQUES 11

COMPLAINT FORM FOR MATTERS RELATED TO PERSONAL DATA 13

1. General Representations

The Company continuously follows legal updates to any and all acts governing activities of financial institutions, AML and terrorism funding prevention, as well as European laws and directives related to protection of personal data. In compliance with the General Data Protection Regulation (GDPR), the Company has adopted measures described herein.

As of the launch of electronic money system, the Company uses a set of personal data protection principles. These principles are applied to any and all persons and organization, personal data of whom we have. We focus on the following fundamental principles:

• Principles and procedures of the Company should be transparent. Our Clients should understand how the Company collects personal data, for what reason, how are the personal data stored, and what personal data protection principles we apply.
• The Company guarantees the security and control over personal data of the Clients and provides the Clients with an option to make decisions about their personal data.
• The essential principle of the Company is to protect and securely store the personal and financial data. The Company applies the corresponding security standards for protection of personal data of Clients.
• Being a licensed financial institution, the Company collects personal data in order to provide payment services and services related to electronic money. Personal data are used primarily as a means to prevent frauds and suspicious transactions and to comply with local and international AML and terrorism funding prevention laws.

2. Business and Legal Information about the Company

Mercurius is a system of payments / electronic money (hereinafter only system) operated by the Company Mercurius Partners s.r.o., a company based in the Czech Republic (EU member state). The Company conducts its operations based on a license issued by Czech National Bank for small-scale electronic money issuer.

Full legal information about Mercurius Partners s.r.o. are as follows:

Business name: Mercurius Partners s.r.o.

Registration number of the company: 05513031

Registered office: sq.I.P.Pavlova 3, 12000 Prague 2, Czech Republic

E-mail: [email protected]

Telephone number: +420 234 280 634

The purpose of this Privacy Policy is to provide the Company’s Clients with information about how the Company collects and processes any received personal data, when our clients use the Company’s website or sign in to the Mercurius system. This includes all levels of interaction with our clients, including our website, business relationship, and provision of payment services and services related to electronic money.

As per the Directive 95/46/EC (General Data Protection Regulation), the Company is a data administrator and is therefore responsible for secure use of personal data in compliance with legal regulation and in compliance with the agreement concluded between the Company and its Clients.

Please read this Privacy Policy as well as other information regarding services offered by the Company. If you have any questions, please contact us at the e-mail address provided below.

3. Definition of personal data collected by the Company about its Clients.

Personal data are any information of personal nature that identify an individual. Personal data does not include information that cannot be used to identify an individual (are anonymous). The Company collects, uses, processes, stores, or transfers personal data such as:

• Identification data. These include full name(s), date of birth, state-issued identification number, date of birth, numbers of identity documents. The Company uses these data particularly for purposes of identification of their clients in order to provide payment services and services related to electronic money with them, thus preventing money laundering or terrorism funding.
• Contact information. These are data used to contact the clients and include telephone number, address, e-mail address, and billing address. These data are also used for two-step client verification in order to prevent risks relating to money laundering or terrorism funding.
• Financial information. Financial information includes bank account number, payment (credit) card information, and other related financial information. These data are also used to inspect and identify a client for the purpose of preventing money laundering or terrorism funding.
• Transaction details: When providing services to Clients who are owners of a business (business that uses one or more payment services or services related to electronic money) or a customer, these details include information regarding payment by means of products or services of the Company.
• Technical and access information. This include for example information about use of the Internet, IP address, login credentials, unique user ID, version of the installed software, screen resolution, colour depth option, plug-ins, language settings, whether Javascript is enabled or disabled, content and pages loaded by a Client during his or her session at our website or platform, dates and times of Client’s visit to the website or platform, his or her course of visit on the website or platform.
• Marketing and communication data: These data include a record of Client’s decision to receive marketing materials of the Company or unsubscription therefrom, as well as of the third parties.
• Detailed scope of personal data required for use of specific services provided by the Company is provided in the rules and conditions of services available at the www.mercuriuspayments.com.website.

The Company does not collect, store, or process any special categories of personal data of its clients (race, ethnicity, religion or philosophy, sex life, sexual orientation, political opinions, membership in unions, health information, or genetic or biometric information).

The Company’s website includes links to websites, plug-ins, and third-party applications (including cookies and widgets by third-party advertisers). By agreeing with this Privacy Policy, the Client should understand that by clicking on these links or allowing such connection, the Client may give consent to third parties to collect or share his or her personal data. The Company has no means of control over third-party websites and has no influence over their privacy policies whatsoever.

4. How does the Company collect personal data

Since the Company is a small-scale issuer of electronic money, it has duties related to preventing money laundering and terrorism funding, in terms of which it collects data, including personal data, in order to provide its services and products to Clients. The Company collects only personal data necessary to operate the payment system / electronic money system and to provide services related to electronic money and payment services.

• The Company is obliged by the law to verify and authorize payments for the purpose of mitigating the risk of theft and protecting from identity theft, fraud, money laundering, or terrorism funding. For this purpose, some of the personal and non-personal data of the Client may be collected by the Company either directly or provided to the Company by businesses or customers, and the Company will use such personal data to enter the available systems and secure such verification, where it will leave a cross-link to information required to verify a payment for future references.
• Verification of Client’s identity and comparison of Client’s information for the purpose of accuracy verification.
• Storing client data, if the Client claims his or her right to refuse the made purchases, or in case of a dispute or chargeback, for the purpose of sharing information about transactions and personal data of the Client with financial institution for the purpose of dispute settlement.

In compliance with the law, rules, and conditions (agreements) with Clients, the Company is not entitled to record, authorize, and approve registration of a Client into the Mercurius system, until the Client submits the required data.

At its website, the Company collects data in various ways, but particularly by receiving personal data provided by a client directly to the Company. This includes:

• Entering client data at the Company’s website so that the Company’s employees may contact the customer regarding the services and products.
• Requests to use/receive products or services of the Company directly at the website, via e-mail or Company’s suppliers (e.g. at points of sale).
• Participation in a contest, promotional event, or survey.
• Requests of marketing materials for further use.
• Submission of a support ticket to the Company’s support centre.

Upon Client’s entry to the website www.mercuriuspayments.com, the company collects data through various means. These are data regarding use of the site and technical data. The Company applies a Cookies Policy, which are a part of the General Privacy Policy of the Company.

Additionally, the Company receives personal data via third parties or data that are publicly available. These sources are:

• Points of sale and points of exchange, who provide personal data to the Company for the purpose of providing payment services and services related to electronic money selected at the website of these points of sale or points or exchange.
• Profile data published at social media and networks, if the Client gives consent therewith to the Company and if necessary
• Technical information for the purpose of preventing frauds and risks.
• Identification and contact information from public sources in compliance with the applicable legislation.

5. How are personal data used by authorized employees of the Company:

The first and foremost purpose of use of personal data by the company is the provision of payment services and services related to electronic money, including securing due quality of the service ordered by the Client from the Company (depending on the type of Client). Additionally, the Company uses clients’ personal data in the following cases:

• If necessary for legitimate interests of the Company or a third party and if such interests outweigh the client’s interests.
• If the Company uses personal data to fulfil its mandatory duties – e.g. preventing money laundering and terrorism funding, and other legal requirements set out by the Payments Act and other acts applicable towards the small-scale issuer of electronic money.
• Personal data are used with active and informed consent of the respective Client. The Client may withdraw his or her consent, unless such withdrawal is in dispute with legal duties.
• For the purpose of allowing effective communication between the Company and the Clients, namely to send e-mail informing the client about payment products or services, updated applicable security notices, and notices regarding monitoring of frauds or related to interruption of services or other important notices related to the Company’s products and services.

In order to improve its products or services, the Company may use automated tools, including profiling, automated analysis of client’s personal data for the following purposes:

• Carrying out KYC (“Know Your Customer”) procedures as required by the applicable law, including thorough risk assessment procedure for the purpose of verifying and authorizing a Client.
• Verifying and authorizing payments for the purpose of mitigating the possibilities of theft and identity theft or fraud as per the applicable legislation.

The Company collects and uses personal information to provide payment services and services related to electronic money:

• Conclusion and performance of agreement between the Company and its Clients, securing payment services and services related to electronic money, opening a client account within the Mercurius system.
• Processing of payment transaction ordered by the Client through the Company’s services, and notification of the Client regarding the status of such payment. Types of personal data and the legal base depends on specific payment methods available in the Mercurius system.
• Carrying out KYC (“Know Your Customer”) and procedures for risk assessment in order to verify and authorize the Client and his or her access to the Company’s services. The required data consist of identification data, contact information, and financial information. These are fundamental for the Company to be able to assess the Client’s request to receive access to services and products of the Company based on an agreement and the mandatory legal duties imposed onto the Company.
• Protection of the Mercurius system and of the Company’s business processes and security of compliance with the applicable legislation and regulations for financial institutions. Types of personal data may include information about identity and transactions.
• Administration of Client-Company relationships. This includes notices of amendments to the Agreement, Terms and Conditions, or this Privacy Policy, or requesting the Client to provide information about how the Company may improve or develop new services or products.
• Providing the Client with assistance and troubleshooting, contacting the Client or sending notices to the Client if directly related to the Company’s services such as faults and update of the system.
• Informing the client about the status and history of transactions, which is required from the Company as a small-scale issuer of electronic money by the Payments Act.
• Issuing and storing invoices and accounting documents.
• Using Client’s personal data in transaction or monitoring reports in terms of performance of agreement by the Company.
• Using Client’s personal data for internal purposes such as audits, reporting, data analysis or gathering, research focused on improvement of products or development of new ones, services, and communication.
• Using the data analysis to improve the website, products or services, or to improve marketing and user experience. These may be technical data and access credential used for Company’s analysis and development or improvement of products and/or services, or to provide promotion or benefits that may improve client interaction and use of Company’s services and/or may aid the future development thereof.

6. Disclosure and sharing personal data of clients with other institutions

When working with Clients’ personal data, the Company shares the data with:

• Internal third parties – authorized employees of the Company and specific third parties, which are groups of companies providing marketing support, IT support and development, financial support and legislation compliance, and services related to AML and terrorism funding prevention.
• External third parties:
• o Points of sale, in compliance with service agreements and rules and conditions.
• o Service providers bound by agreements that help the Company with its business activities, i.e. providers of IT infrastructure, software for payment risk analysis, marketing services, and legislation compliance officers.
• o Authorized financial institutions and banking partners of third parties, in cooperation with whom the Company co-creates and offers products and services. Depending on the payment method, the Company shares information with financial institutions that verify and process individual means of payment, relevant authorizations, validations, and settlements. This means that the Client’s personal data may be collected for this very purpose by institutions issuing financial resources for financial resources, collecting by financial institutions, payment schemes, and franchises such as Visa, MasterCard, credit institutions, etc.

In any case of enforcement of right, court order, investigation by a national bank, investigation by a financial arbitrator, or any other similar judicial procedure, the Company shall adopt any and all adequate organizational and technical measures in order to ensure that each third party participating on processing of client’s personal data shall apply security standards compliant with the applicable legislation and with the policy determined herein.

7. Marketing

Since the Company provides many payment solutions and services, it sends marketing notices and messages. The company sends marketing notices and messages only if the Client subscribed to receive such information about the Company’s services and products. The Client will also receive marketing communication from the Company is he or she participates in a contest, promotional event, or a survey, in terms of which the Company requests the clients to provide contact information in order to be able to enrol or participate in a survey.

In any case, the Company keeps a register of data for marketing communication, which is used by the Company, and each Client is entitled to unsubscribe from any such marketing notices by clicking on an unsubscription link provided in the Company’s marketing messages. The Company may also use the marketing and communication data with the aim of improving and adapting advertisement and promotional events that may be interesting for the Client.

8. International data transfers

The Company does not share personal information of its Clients with third parties, with the exception of those related to mandatory duties of the Company and third parties under contractual relationships on transfer of personal data for the purpose of provision of payment services and services related to electronic money. Such transfer is necessary for fulfilment and compliance with provisions of our services or fulfilment of other operational needs of the enterprise or development of specific purposes determined herein. Whenever the Company provides personal data to third parties, the Client can be sure that such third party applies similar level of data protection as the Company.

9. Storing data

The Company is entitled to store Clients’ personal data for as long as it is necessary for the company to fulfil the purpose of collection thereof. The Company may store the data, provided that the legal (contractual or legislative) and accounting requirements as well as the compliance requirements are mutually conforming. The Company also considers the temporary limits set out in business acts or data protection acts in various countries, in which the Company provides its services.

10. Rights of clients regarding personal data

Each Client may exercise his or her rights determined in the applicable legislation. The Company guarantees the following rights regarding personal data protection:

• Right to access the client’s personal data. Each individual is entitled within the contractual relationship with the Company to request information regarding his or her personal data processed by the Company.
• Right to correct or change the Client's personal data. Any incorrect personal data shall be corrected through changes provided by the Client.
• Right to delete the Client’s personal data. Upon the Client’s request, the Company shall delete such Client’s personal data, with the exception of data that are to be stored in relation to legal duties.
• Right to restrict processing of the Client’s personal data. Under specific circumstances, the Company may designate specific personal information as forbidden for processing if the Client requests so.
• Right of data transferability. Upon the Client’s request, the Company may provide the personal data provided to the Company to another data administrator.
• Right to automated individual decision-making, including profiling.
• Right to object against direct marketing.

11. Security and storage of personal data

The Company has adopted legal, technical, and organizational measures considered necessary for keeping the Client’s personal data secure, with adequate respect to applicable obligations and exceptions under the applicable regulations. The Company maintains standards of the payment-providing industry regarding personal data protection, including, among other, standard options of using transparent data encryption database. Any and all data related to clients’ personal data are encrypted with AES 256 algorithm with crypto period of 1 year. The encryption key is encrypted using the X.509 standard with 2048-bit key length and one-year crypto period. The private key is distributed only to several employees of the Company using the Shamir threshold scheme, therefore none of the employees has an individual access to data independent on other employees. Access to information structure is secured according to the PCI DSS standard.

The Company reviews its policies for collecting, storing, and processing clients’ personal data, including any physical security measures, in order to prevent forging, loss, fault, fraudulent use, or fraudulent or unauthorized access to the Client’s personal data.

The Company adopted procedures for handling any suspicion of breach of personal data security and will notify its Clients and any competent authority, should the law require so.

12. Minors

The Company does not voluntarily or actively collect, use or disclose personal data of minors, with respect to varying age in varying territories, without a prior consent of the minor’s parents or guardians.

The Company’s services are not focused or intended to attract minors.

Should an employee of the Company founds out or is notified that the Company collects personal data for whatever reason about a minor from a certain territory without receiving any verifiable consent of the parents, the Company shall ensure deletion of such data as soon as possible.

1. Right of objection

Each Client is entitled to submit a complaint regarding processing and storage of personal data by the Company at the corresponding and competent personal data protection regulator within the Client’s territory.

Each Client is entitled to withdraw his or her consent with processing of personal data provided by the Client to the Company and prevent any other processing, unless there is a legitimate reason for the Company to continue processing the Client’s personal data.

Should there be a complaint or claim regarding personal data or the necessity of deletion thereof, please contact us at the e-mail address said below. Should you want to file a complaint, withdraw consent, or make any other changes to personal data, please fill out an application provided below and send to the following e-mail address: [email protected]

14. Policies regarding Cookies and other access techniques

At its website, mobile application, and the Mercurius system, the Company uses Cookie files, web beacons, and other access techniques (hereinafter only “Cookies”). “Cookies” include any IT-related data, text files stored in user terminal for use in websites. Through such files, the Company finds a user terminal and displays a website adapted to the corresponding user preferences. “Cookies” usually contain the title of website, which the user is redirected from, save date and time in the terminal, and a unique number.

“Cookies” are used to adapt the website content to user preferences and to optimize the use of website. They are also used for production of anonymous summary statistics that allow the Company to understand how the user profits from the website, thus allowing means to improve the structure and content thereof, without the necessity of user’s personal identification.

The Company uses two types of “Cookies” - “Session Cookies” and “Fixed Cookies”. “Session Cookies” are temporary files stored in the user’s terminal until he or she logs out from the website or closes the application (web browser). “Fixed Cookies” remain stored in the user’s terminal for a period defined in the cookie parameter or until removed manually by the user. Personal data collected via cookies may be collected only to carry out specific features intended for the user. Such data shall be encrypted to prevent access thereto by unauthorized parties.

It generally applies that software tools used to browse websites allow storing Cookies in the user terminal when in default settings. Such settings may be changed so that the web browser does not allow automatic management of cookie files or to notify the user during each submission of cookies files to the terminal. Details regarding the possibilities and manners of cookie file processing can be found in the web browser settings. Denied use of cookie files may affect some features available at the website.

“Cookies” used by partners of the website operator, including, but without limitation to, website users, are a subject to their respective privacy policies.

Complaint form for matters related to personal data

Name and surname

Date of birth

Address

Contact e-mail address

State the type of data which this complaint relates to:

o Identification data

o Contact information

o Financial information

o Payment details

o Technical and access information

o Marketing and communication data

Please state the subject matter of your complaint related to personal data:

We will process your complaint within 24 hours. Should you have any questions, please contact us at: +420 234 280 634.