This privacy policy will describe the way Phyre and Paynetics collect, store and use  your personal information regarding the application Phyre and your Paynetics account and Paynetics card as well as the purposes for their collection and the grounds of their collection and processing including the rights of the personal data subjects with regard to Regulation (EU) 2016/679 of the European Parliament and the Council from 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive).

Definitions

“Functionalities” – means all services which Phyre app offers and which are explained in detail in our Terms of Service

"Phyre App" means the application, through which you may use certain services, which you may download for free from Google Play Store and/or App Store and which, when installed in your mobile device, allows you to execute defined payment functionalities which are explained in detail in our Terms of Service.

"Phyre" means "Phyre AD" - company registered in Republic of Bulgaria with UIN No. 203617076 which technically maintains and exploits Phyre App. Phyre provides services as a provider of technical services supporting the provision of payment services without assuming possession of the funds which should be transferred, including through processing and storage of data, the authenticity of the data and the object, the information technologies and the communication network, procurement, provision and maintenance of terminals and devices used for payment services, excluding the services for initiation of payments and information services on accounts. Phyre processes your personal data as a Paynetics processor and as an administrator in relation to the loyalty services described in the General Terms and Conditions of the application.

"Paynetics” means "Paynetics AD", with seat and management address: Sofia, Sofia Municipality, commune of Losenets, 76-A, James Bourchier Blvd., ground floor, entered in the Commercial Register maintained by the Registry Agency under UIN No. 31574695. Paynetics AD is a company for e-money, holder of a license for performing activity as e-money company, issued by the Governing board of Bulgarian National bank with Decision № 44 from  11.04.2016 г. and is entered into the register kept by Bulgarian National bank which may be found here. Bulgarian National bank performs supervision on the activity of "Paynetics" AD. "Paynetics" AD is registered as an administrator of personal data with Certificate № 3721 / 25.01.2015 in the Commission for Personal Data Protection.

"Phyre" and "Paynetics", or "we", "our" or "us" means both companies which - as administrators - jointly process your personal data, for the purposes of the Phyre App.

This policy represents an important document. We recommend that you read it carefully, print it out and keep a copy for further reference.

How to contact us

In case you have questions regarding the way we collect, store and use your personal information or want a copy of the information we keep for you, please contact us by:

writing to the designated personal data officer in Paynetics or Phyre at address: 76, "James Bourchier" Blvd, 1407 - Sofia, Bulgaria; or by sending us a message at: dpo@paynetics.digital

In case you do not want to receive marketing messages which you told us previously that you wanted to receive, please contact us by using the aforementioned details.

Personal data and information that we collect from you

"Personal data" is defined in Article 4, paragraph 1 of GDPR (Regulation (EU) 2016/679):

"(1)"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ".

This Privacy policy and personal data protection is intended to inform you as a user about what categories of personal data we may collect or collect from you in relation with the use of the Phyre App. We use and we may provide you with the stored data upon your request. We do not collect personal data from no one under the age of 18 years.

From the first contact that we have with you until providing you with Phyre App and Paynetics card and Paynetics account, we collect personal information for you, including:

-Your name, address, email, mobile phone number, date of birth, Google Advertising Id and data on your payment card and any other information you grant when applying for our services and use Phyre App;-Details on the communications with you (via email, internet, our call centre or via third parties), when you contact us to signal about a problem or make a query;

-Your answer to the inquiries which we ask you to perform for research purposes;

-Details on the transactions you make through our Phyre App and on the execution of your requests for transactions;

-Information from agencies for fraud prevention and credit reference agencies or other organizations taking part in the support or the provision of Phyre App and the related services;

-Information about the way you use and manage your Phyre App, the services we maintain and the payments you make.

- Your photo; a copy of passport or identity card; utility bill; bank statement; photograph (selfie) with passport or identity card;

- Your contact list, including telephone numbers;

Every time you use the platform Phyre, this version of the Privacy policy and personal data protection will be applied. You express your informed and explicit consent to grant your personal data on a purpose to be collected and processed by us. You may find in this policy exhaustive information about the use of the personal data by us. Our application will exert control over the privacy which is related to the way we will process your personal data. Upon granting your personal data you may indicate your consent or rejection to the collection or processing of your personal data.

For what purposes we will use your personal information

We will use your personal information in order to:

- provide you with the Phyre mobile payment services as well as the services "Virtual wallet for Loyalty cards" and "Interactive viewing of offers";

- perform checks to verify your identity and to verify your address in accordance with the legal requirements and to process your application ;

- contact you regarding the services we provide, for instance, opening, administering and launching of your Phyre App, your Paynetics card and Paynetics account (including use of mobile phone numbers and email to ensure the update of balances and signals for transactions) as well as for granting of the services "Virtual wallet for loyalty cards" and "Interactive viewing of offers".

- collect our fees or expenses related to the services described in our General provisions

- handle any inquiries or questions which you have regarding our services;

- prevent or uncover frauds, recording of suspicious or fraudulent behavior or suspicions for incorrect or imprecise information;

- observe our legal obligations;

- collect our expenses in relation to the court decisions (including to negotiate agreements for payments with you and to collect the fees due by us and expenses in relation with the legal enforcement);

- present you with our other products and services, if you have agreed to that;

- raise the awareness of the users of our services through carrying out of polls and market research and

- conduct advertising games and raffles to promote Phyre App;

Phyre will notify you about news regarding the product, promotions, bargains and other promotional messages via push notifications, and via email, by organizing social media campaigns;

- Phyre app use Firebase, Google Analytics, Crashlytics, Mixpanel, MoEngage and Intercom to collect information regarding the use of the mobile application by the users in order to improve the user experience.

Phyre will contact you via email; messages, published on the Phyre website www.phyreapp.com; via social media and the so-called "push notifications" and in-app messages. „Push notifications” are a technique used by applications for portable smartphones, tablets and devices allowing the owners of such devices to receive news, messages etc. via the appropriate application.

In case Phyre intends to use your personal data for other purposes, you will be notified and asked for your explicit consent about that.

On what grounds we collect and process your personal data:

1. We may process your data for your account and your profile in Phyre App with your explicit consent ("profile data"). The data for your account is unique and includes your email, mobile phone number and password and your profile may include your name, email, date of birth, nationality and address, photo and telephone number. You provide us with that data in order to register your account and profile and to use our services. The data for the account and your profile may be processed in order to access your profile via the Phyre App, and in order to grant you our services by guaranteeing high level of security of our platform, maintenance of protected reserve copies of our database and performing of communication with you. The data for the profile may be processed and for the purposes of granting full access to the services we provide, platform Phyre, your Paynetics card and Paynetics account and monitoring your activity. The legal ground for this processing is your consent and our legal interests, namely the correct administration of the Application and our business, as well as our obligation to apply mechanisms for identification and high level of authentication at the provision of financial services.

2. We may process your data granted in the process of using our services ("data for using the services"). The data for using the services may include registration files for accessing our platform as well as a history for the granted and used services. The source of data for using the services is our platform where you maintain a registered account and profile. The data for using the services may be processed for the purposes of functioning of the application, provisioning of our services, guaranteeing the security of the Application and services related to maintenance of protected backup copies of our database and contacting you. The legal ground for this processing is your consent and our legal interests, namely the correct administration of our website, monitoring aiming to prevent frauds and guaranteeing security.

3. We may process your personal documents which you upload in our platform via Your registration ("data on the content"). The data on the content in the form of attached files may be processed for the purposes of identification and verification of your identity which enables you to use our website, mobile application and our services. The legal ground for this processing is your consent and our legal obligation to confirm your identity due to reasons related to counter money laundering and financing of terrorists, before granting you the payment services of application Phyre, Paynetics card and Paynetics account.

4. We may process information contained in any query which you send us about our services ("data on queries"). The information on queries may be processed for the purposes of the supply, the marketing and the sale of the relevant services to you. The legal ground for this processing is your consent to receive information and to improve our communication channels with you.

5. We may process the information related to the transactions made and the granted services which are performed through Phyre App, Paynetics card and Paynetics account ("transaction data"). The transaction data may include data on the card, the bank account and the transaction history details. The transaction data may be processed with the purpose of granting services and maintaining correct records about these transactions in our system. The legal ground for this processing is the execution of the contract concluded between us or undertaking of steps upon your demand for concluding such a contract.

6. We may process the information which you grant us as subscribers of our email messages and/or newsletters ("data on messaging"). The data on messaging may be processed for the purposes of sending of the relevant messages and/or newsletters. The legal ground for this processing is your consent OR the execution of a contract concluded between YOU and us and/or undertaking of steps upon your demand for concluding of such a contract for using of the services Paynetics card and Paynetics account.

7. We may process the information containing in or relating to any communication you send us ("data on correspondence"). The data on the correspondence may include the content of the communication and the metadata related to the accomplished communication. Our website generates metadata related to the communication through the contact form or the query form. The data on correspondence may be processed for the purposes of the communication with you and the keeping of archives for required and granted information. The legal grounds for this processing are our legal interests, namely the correct administration of our website and our contract relationships as well as the communications with the users.

8. We may process the information of your contacts list and telephone numbers for the purposes of providing you with certain application functionalities. The legal ground for this processing is your consent.

9. We may process all personal data indicated in this Policy when this is needed for instituting, prosecution or defense of/against legal actions/claims regardless whether it is in legal proceedings or in administrative or extrajudicial procedures. The legal ground for this processing are our legal interests, namely the defense and the confirmation of our legal rights, your legal rights and the legal rights of third parties/.

10. In addition to the specific purposes, to which we may process your personal data indicated in this Policy, we may also process your personal data when such processing is needed for observing of a legal obligation which we have, or to protect your vital interests or the vital interests of another physical person.

11. Please do not grant personal data to any other person unless we explicitly require you to do so in relation to granting of additional service.

12. Our services are managed from a technical point of view by "Phyre" AD. By adopting this Policy, you explicitly agree that the technical processing of the data granted to us by you is performed completely or partially by "Phyre “AD.

12.1. We may disclose your personal data to any member of our group of related companies (including but not limited to our daughter companies, authorised representatives, entire company structure), insofar this is reasonably justified for the purposes and the legal grounds indicated in this Policy.

12.2 We may disclose specific personal data required for the purposes of the identification and verification of your identity done by our authorized suppliers or subcontractors when it is reasonably justified for the specific purposes. In any case you explicitly agree, with a view to the services provided by us, that we may grant your data to agencies for credit control or agencies for fraud prevention and other organizations: to verify the entire personal information provided by you in order to confirm your identity. The agencies may record your information and the searches made (even if any application is unsuccessful or not finished).

12.3. We may disclose your personal data also to companies of third parties with a view to the services provided by us. More specifically but without limitation, our services use and rely on the services for processing and storage of Phyre: Firebase, Google Analytics, Amazon Web Services (AWS), Mixpanel, MoEngage, Intercom. We may disclose your personal data also to card networks and payment schemes, such as MasterCard: in order to provide you with Phyre App, the Paynetics card and the related services.

12.4 We may disclose your personal data to our professional experts, insofar it is reasonably justified for the purposes of the risk management, the getting of professional advices or the instituting, prosecution or defense of/against legal actions/claims regardless whether it is in legal proceedings or in administrative or extrajudicial procedures.

12.5  We may disclose your data and data for received queries to one or more from our partners listed on our website, in order to allow them to connect with you in order to offer and sell you services from the same nature as the ones offered by Paynetics with regard to Phyre App, Paynetics account and Paynetics card.

12.6 In addition to the specific releases of personal data indicated in this Policy, we may disclose your personal data when such disclosure is needed for observing a legal obligation which we have, or to protect your vital interests or the vital interests of another physical person.

13. You explicitly agree and give your consent that you may become a subject of an automated risk assessment, although Paynetics ensures you that the final decisions are always taken by an authorized employee of the company.

14. We may grant your data to certain third persons who may use your personal information in order to send you marketing messages, in case you have explicitly given your consent for them to do this and you have approved the purpose for processing of your data.

Information from cookies and other technologies

15. "Cookie" is a file containing an identifier (a sequence of letters and digits) which is sent by a web server to a web browser and is stored by the browser. The identifier is sent back to the server any time when the browser loads a page from the server. "Cookies" may be "permanent" cookies or "session": the permanent cookies will be stored by a web browser and will remain valid until the defined expiration date, unless they are not deleted by the user before the expiration date; on the other hand, a session-cookie, will expire at the end of user's session, when the web browser is closed.

16. Cookies usually do not contain information which personally identifies the user but the personal information which we store for you, may be connected to the information stored inside and received by the cookies.

17. We use "cookies" for the following purposes:

(a) authentication- we use "cookies" in order to identify you when you visit our website and while you navigate in our website.

(b) status – we use "cookies" in order to help us determine whether you have entered our website.

(c) personalization - we use "cookies" in order to store information about your preferences and in order to personalize your access to the website.

(d) security - we use "cookies" as an element from the security measures used for protection of user profiles, including fraud prevention/abuse and protection of our website and the provided services as a whole.

(e) advertisement - we use "cookies" in order to help us show you advertisements which are suitable for you.

(f) analysis - we use "cookies" in order to assist us in the analysis of the website and services use and efficiency.

(g) consent for the "cookies" - we use "cookies" in order to store your preferences regarding the use of "cookies" generally.

18. We collect information when you browse content, advertisements, sites, interactive widgets, applications and other products (inside the scope and outside the scope of our Services), via technologies for data collection (such as web directories, development tools, cookies and other technologies, etc.). These technologies for data collection allow us to understand your activity inside the scope and outside the scope of our services, and to collect and store information when you use the services which we offer to our partners.

19. This information includes also the type of the content and the advertisements you look at, show or click on; the frequency and the duration of your session; the sites or the applications you used before having access to the services and where have you navigated afterwards; regardless whether you have examined special content or advertisements; whether you have visited the website of the advertiser, whether you have bought an advertised product or service, or have undertaken other actions.

SECTION IV: STORAGE AND DESTRUCTION OF PERSONAL DATA

25. This section shall define the regulations and the procedure for storage of data which are intended to guarantee the observance of our legal obligation for storage and destruction of personal data.

26. The personal data which we process for any purpose(s) whatsoever, should not be stored longer than necessary for this purpose or these purposes.

27. We shall store your personal data, as follows:

27.1 all personal data will be stored for a minimal period of 5 (five) years after the termination of our contact for servicing.

27.2 Your personal data will not be additionally processed in a way incompatible with the purpose(s) for which they have been preliminarily collected.

28. We shall apply appropriate security measures against unauthorised access or non-permitted change, disclosure or destruction of the data, and against all other illegal forms of processing.

29. When the purpose for which the personal data have been received, is terminated and the personal data are not required any more, we will destroy them or will delete them in a secure way.

30. Regardless of the remaining provisions of this section, we may retain your personal data when such retention is necessary for observing a legal obligation, required from us or to protect your vital interests, or the vital interests of another physical person.

SECTION V: SECURITY

31. We shall respect the security of your personal data and shall use reasonable electronic, cadre and technical measures in order to protect them from loss, theft, change or abuse. Nevertheless, bear in mind that even the best security measures cannot completely remove all risks.

32. We strive to protect the entire information of the application in the proper way. You however bear responsibility for the protection of the privacy of your personal data for identification, by keeping your passwords for access to the Phyre App platform confidential and protected. You should change your password immediately if you suspect that someone has obtained unauthorised access to it or to your profile. If you lose control over your profile, you should immediately inform the responsible contact person in Paynetics and Phyre, indicated at the beginning of this Policy.

SECTION VI: CHANGES

33. Paynetics and Phyre may update this policy periodically by publishing a new version at Phyre App website. That is why you should accept this Policy each time when you register in the application.

34. Regardless of the above said, we retain our right to notify you at the email address provided by you about any changes in the present policy. That is why you should always keep your contact data updated.

SECTION VII: YOUR RIGHTS

35. You may require from us to grant you the whole personal information which we store for you, the granting of such information depending on:

35.1 submitting of appropriate proofs for your identity (to that effect we will ask you to submit documents for identity verification via our platform).

35.2 You will have the right to require the granting of your personal information not more than 1 (one) time per year for free. For every subsequent request, Paynetics and Phyre will apply a fee currently fixed at 20 BGN;

35.3 The deadline for giving a response from Paynetics and Phyre actually is fixed at one (1) month after receipt of your request.  This term may be prolonged by Paynetics and Phyre with an additional term of 10 days. In that case Paynetics and Phyre will inform you about the extension at your email address or at your telephone number.

35.4. You may require access to your personal data by sending an email to dpo@paynetics.digital  or by visiting our application when you have entered through your registered profile.

36. We may retain your personal information for which you have required access within the legally permitted frame.

37. You may require from us at any time to not process your personal data for marketing purposes.

38. In practice, you usually either agree beforehand your information to be used for marketing purposes, or we shall give you the opportunity to renounce the use of your personal information for marketing purposes.

39. Your fundamental rights in accordance with the Law on the protection of personal data and General Data Protection Regulation are:

39.1 right of access;

39.2 right of rectification;

39.3 right of erasure;

39.4 right to restriction of processing;

39.5 right to object against processing;

39.6 right to object against data portability;

39.7 right to file a complaint with a supervisory body; and

39.8 right to withdraw the consent.

40. You have the right to require correction of inaccurate personal data for you and with a view to the processing of your personal data, to supplement incomplete personal data for yourself.

41. In some cases you have the right to request erasure of your personal data without ungrounded delay. These hypotheses arise when: your personal data is not needed any more with regard to the purposes for which the data has been collected or processed; you withdraw your consent for processing made on the basis of consent; you object against the processing in accordance with certain rights of the applicable legislation for protection of the personal data; the processing is for the purposes of the direct marketing; your personal data were illegally processed. Restriction of the right to erase personal data is present when the processing of these personal data is needed for exercising the right of freedom of expression and information; for observing of obligation arisen by virtue of a normative act; or for instituting, prosecution or defence of/against legal claims.

42. 1. You have the right to require restriction of the processing of your personal data in some of the following cases:

• the precision of the personal data is disputed by you, for a term which allows the administrator to verify the accuracy of your personal data;
• the processing is unlawful, but you don't want your personal data to be deleted but instead require its use to be restricted;
• the administrator does not need any more your personal data for the purposes of processing, but you require their processing for instituting, prosecution or defense of legal claims;
• you have objected against the processing waiting for examination whether the legal grounds on which we process your personal data have priority over your interests;

42.2. When the processing is restricted due to one of the hypotheses quoted above, such data will be processed, with exception of its storage, only with your consent or with the purpose of instituting, prosecution or  defense of legal claims, protection of the rights of another physical person or due to important grounds of public interest for the European Union or a Member State.

42.3. When you have requested restriction of the processing pursuant to paragraph 1, we shall inform you before the revoking of the restriction of the processing.

43.  You have the right at any time and on grounds related to your specific situation, to object to processing of your personal data when a processing is performed on one of the following grounds:

• the processing is needed to execute a task of public interest or at the exercising of official powers which have been granted to us;
• the processing is needed for the purposes of our legitimate interests or of a third party, except when priority over such interests has the interests or the fundamental rights and freedoms of the data subject which require protection of the personal data, more specifically when the data subject is a child.
  

44. You have the right to object against the processing of your personal data for the purposes of direct marketing (including profiling for the purposes of the direct marketing). In case you make such an objection we will discontinue the processing of your personal data to that effect. We will discontinue the processing of your personal data, except when we find out that there are convincing legal grounds for the processing which have priority over the interests, rights and freedoms of the data subject or for instituting, prosecution or defense of legal claims;

45. You have the right to object against the processing of your personal data for historical scientific purposes or for statistical purposes on grounds related to your specific situation, except when the processing is needed to execute a task performed by considerations for public interest.

46. Insofar the legal ground for the processing of your personal data is:

46.1 a consent; or

46.2 the processing is necessary for the execution of a contract you are a party to or have undertaken steps to conclude a contract upon your request, and this processing is performed in automated ways,

You have the right to request personal data from us in a structured, accessible and machine-readable format. A restriction of this right shall be present when the transfer of the data will affect unfavorably the rights and freedoms of third persons. The same will be valid when your personal data are transferred to another administrator (Right of transfer of data).

47. In case you consider that the processing of your personal information is in violation of the laws on data protection, you have the right to file a complaint with a supervisory body responsible for the data protection. You may do this in the Member State of EU where you usually reside, are employed or at the place of the presumed violation.

48. Insofar the legal ground for the processing of your personal information is consent, you will have the right to withdraw this consent at any time. The withdrawal will not affect the conformity with the law of the processing before the withdrawal as well as it will not affect or restrict the processing of any other legal ground or contract.

49. You may exercise your rights with a view to your personal data by written notification to us and to send it to our official contact email address published on our website.

50. We will keep some of your data in order to enable subsequent personal identification, in order to avoid abuse, for rectifying problems, in order to assist in any investigations, in order to apply our General provisions and/or to observe legal requirements for storage of personal data. Therefore, you should not expect that all your personal identifying information will be completely removed from our database in response to your request. We also keep history of the changes made to the granted data, in order to investigate presumed frauds with your profile.

SECTION VII MONITORING FOR QUALITY ASSURANCE AND TRAINING

51. We strive to guarantee that the services we provide to our clients are of possibly the highest standard. With a view to that purpose, sometimes it may become necessary to record the telephonic and electronic messages between our employees and third persons in order to assure the quality and training or if it is permitted by the law only after you have been notified of that. We will always perform monitoring of the communications with accordance to the applicable legislation and at any time will continue to protect the privacy of your messages in accordance with these rules.

SECTION VIII. International transfers of personal data (including to providers of services assigned to external subcontractors)

52. It may become necessary to transfer your personal information to business partners and services providers residing in territories outside the European Economic Area ("EEA"). For instance, we may maintain the Phyre App, the Paynetics card, the Paynetics account and the services related to it from centres such as USA and India and we may process payments via other organisations like banks, payment processors, card networks and payment schemes located outside EEA. Upon downloading and usage of Phyre App, of  Paynetics card and the use of your Phyre profile and Phyre services you explicitly agree to that. You should bear in mind that we will never transfer your personal data to a state or to an organisation which does not offer sufficient levels of protection, without your explicit informed consent. The protection provided by General Data Protection Regulation (GDPR) follows the data provided by you which means that the rules for personal data protection continue to be applied regardless of the place where the data is located. This is valid also when the data is transferred to a state which is not a member of the EU (hereinafter referred to “third country”). Here are the cases which the General regulation envisages for authorized transfer of personal data:

• Sometimes by decision of the European Commission may be declared that a third country offers an adequate level of protection (“decision for adequate level of protection“) which means that we may transfer data to other companies in that third country without submitting additional guarantees or the data becoming subject to additional conditions. In other words, the transfers to a third country with adequate level of protection will be comparable to the transfer of data within EU;

• In case of absence of a decision for adequate level of protection the transfer may be made via providing appropriate guarantees and under condition that applicable rights are present and effective legal means of protection of the physical person. These appropriate safeguards include, among others:

• In the case of a group of enterprises or groups of companies performing joint economic activity, the companies may transfer personal data on the basis of the so-called bonding corporate rules;
• Contract agreement with the recipient of the personal data, by using for instance the standard contract clauses approved by the European commission;
• Observing of a Code of conduct or mechanism for certification, together with obtaining of bonding and executable commitments from the recipient for enforcing of appropriate safeguards for protection of the transferred data; and finally, if it is envisaged to transfer personal data to a third country which is not a subject to a decision for adequate level of protection, and if appropriate safeguards are missing, there may be made a transfer on the basis of a number of exceptions for specific situations, for instance when a person has agreed explicitly with the suggested transfer, after being provided with all necessary information regarding the risks related to the transfer.

SECTION IX. How we take care of your personal information

We have at our disposal technical and organisational assurance according to us appropriate for the protection of your personal information against unauthorized or unlawful use, damage or destruction. We have introduced strict rules for privacy (including obligations for data protection) with our services providers from third countries.