PayXpert guarantees the confidentiality and privacy of the Personal Data collected and processed, having implemented appropriate methods and procedures, such as security measures to prevent alteration, loss, processing or unauthorized access as well as appropriate governance and control structures, to ensure the integrity and security of personal data, in accordance the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”), as well as, where applicable, the Data Protection Act 2018, the UK’s implementation of GDPR , by providing the necessary technical means to prevent any alteration, loss, access without authorization or misuse of the data processed.
PayXpert will not be responsible for inconsistencies in Personal Data when it is derived from an attack or unauthorized access to the systems in such a way that it is impossible to detect by the security measures implemented or when it is due to a lack of diligence of the user in terms of the guard and custody of their access passwords or their own personal data.
As a user you accept and guarantee that the Personal Data you provide is true, being the only person responsible for any damage or loss, direct or indirect, that could be caused to PayXpert as responsible for this website or third party, if you fill in any form with false information or third parties causing deception, damage, or injury. Please inform us of any variation that may occur in the data provided by sending an email to firstname.lastname@example.org
2. What personal data do we collect
By using our website, [or by subscribing to our services/association] you provide us with a certain amount of information about yourself, some of which may identify you (“Personal Information”). This is the case when you browse our site, when you fill in online forms, or simply when you become a member.
The nature and quality of the Personal Data collected about you will vary depending on the relationship you have with PayXpert and may include the following:
- Identification data: This includes all information that would allow us to identify you, such as your name, first name, telephone number. We may also collect your e-mail address, as well as your postal address (in case of payment, the postal address will be necessary to generate an invoice).
In case of subscription, a proof of identity may also be requested.
- Authentication data: This is all the information we need to access your personal account, such as a password, and other information necessary to authenticate and access an account. We also collect your IP address for maintenance and statistical purposes.
- Financial data: this corresponds to banking data such as bank details (direct debit or formalization of payments).
- Documents (PDF, Microsoft Office, Image) with titles, contents, folder names, or information related to a document, such as comments written in the documents, alerts and reminder dates.
- Browsing information: by browsing our website, you interact with it. As a result, some information about your browsing is collected.
- Data collected from Third Parties: Personal Data that you have agreed to share with us or on publicly available social networks and/or that we may collect from other publicly available databases.
3. Why do we collect your personal information?
We collect your Personal Data for specific purposes and on legal grounds.
In the context of the execution of the contract or pre-contractual measures, your data is processed for the following purposes:
- Customer relation management purpose
With your consent, your data is processed for the following purposes:
- Statistical purposes (periodic realization of analysis studies of the web),
- Prospecting purposes,
- Cookies for marketing purposes
Within the framework of the legal and regulatory obligations to which PayXpert is subjected, your data can be used for:
- AML/CFT purposes
We process your Personal Data based on PayXpert legitimate interest for the following purposes:
- Answer to the request,
- Manage your account
4. Do we share your personal data?
Your Data is intended for the authorized PayXpert employees in charge of the management and the execution of the contracts and legal obligations, according to the purposes of the collection and within the limits of their respective roles.
Your Data may be transmitted for certain tasks related to that purpose, and within the limits of their respective missions and authorizations, to the following recipients:
- Entities of PayXpert within the framework of the outsourcing of activity to another entity of the Group.
- Service providers and data processors that we use to carry out a range of operations and tasks on our behalf, including Data hosting centers and commercial partners, only when you have expressly consented to this through a checkbox on our Data collection forms.
- Duly authorized public authorities (judicial, control…), in the framework of our legal and regulatory obligations.
- Regulated professions (lawyers, bailiffs, etc…) who may intervene in the context of the implementation of guarantees, collection, or litigation.
- Banks and financial entities.
When your data is provided to our service providers and data processors, they are also required not to use the data for purposes other than those originally intended. We make every effort to ensure that they maintain the confidentiality and security of your Data.
In all cases, only the necessary data is provided. We make every effort to ensure the secure communication or transmission of your data.
We do not sell your data.
5. How long do we keep your personal Data?
We retain your Personal Data only for as long as is necessary to fulfill the purpose for which we hold the Data and to meet your needs or our legal obligations.
Retention times vary depending on several factors, such as:
- PayXpert business needs.
- Contractual requirements.
- Legal requirements.
- Recommendations from regulatory authorities.
The retention periods for your Data are as follows:
Customer relation management
Five years from the contract termination
Three years from the last contact
Data coming from Cookies
The time required to the business relationship and the retention period provided for by tax and anti-money by tax and anti-money laundering legislation which concerns the limitation of liability
Answer to the request
The time required for the business relationship
Manage your account.
One year from the account deletion
6. Exercise of rights
At any time, the user can modify their preferences in regards to receiving commercial communications, as well as exercise at all times their rights of access, rectification, erasure and to be forgotten, object, portability and limitation in, by contacting PayXpert provided by post to the address:
30 Churchill Place, London, England, E14 5RE
PayXpert Spain SL
Avenida Diagonal 440, 7th floor, 08028, Barcelona, Spain
PayXpert has appointed an internal Data Protection Officer (DPO), who can be contacted at the following e-mail address for any questions relating to the processing of personal data: email@example.com
You can also make use of the processes and forms to exercise these rights made available by the supervisory authorities.
The regulations provide Data Subjects with the following rights:
- Right to information: the right to have clear, precise, and complete information on the use of Personal Data by PayXpert.
- Right of access: the right to obtain a copy of the Personal Data that the Data Controller holds on the applicant.
- Right to rectification: the right to have Personal Data rectified if they are inaccurate or obsolete and/or to complete them if they are incomplete.
- Right to erasure / right to be forgotten: the right, under certain conditions, to have the data erased or deleted, unless PayXpert has a legitimate interest in keeping it.
- Right of opposition: the right to object to the Processing of Personal Data by PayXpert for reasons related to the particular situation of the applicant (under conditions).
- Right to Withdraw Consent: the right at any time to withdraw Consent where Processing is based on Consent.
- Right to restriction of processing: the right, under certain conditions, to request that the Processing of Personal Data be temporarily suspended.
- Right to Data Portability: the right to request that Personal Data be transmitted in a reusable format that allows it to be used in another database.
- Right to Avoid Automated Decision-Making: the right of the applicant to refuse fully
authorized decision-making and/or to exercise the additional safeguards offered
in this regard.
Additional rights may be granted by the local regulations to Data Subjects.
To this end, PayXpert has implemented a procedure for the management of individuals’ rights in accordance with the requirements of the applicable legislation. This procedure establishes:
- The standards to be respected to ensure the transparent information of the data subject
- Legal requirements that must be met
- The authorized means of applying for each right, depending on the category of Data Subjects
- The business processes for handling these requests in accordance with the above requirements
- The stakeholders involved in these processes, their roles and responsibilities.
When you send us a request to exercise a right, you are asked to specify as far as possible the scope of the request, the type of right being exercised, the Personal Data Processing concerned, and any other useful information, in order to facilitate the examination of your request. In addition, in case of reasonable doubt, you may be asked to prove your identity.
You also have the right to file a complaint to your local supervisory authority.
7. Security Measures Applicable to the Processing of Personal Data
- Risk: According to the data required from users and according to the activity of the Processor, a Risk Analysis/Assessment has been carried out regarding the processing of the data, evaluating them, graduating them and taking those measures for an adequate protection and security.
- Security Document: PayXpert states that it has a Security Document, in accordance with the aforementioned Risk Analysis and the criteria and principles of the Data Protection Act 2018 UK, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Protocols: PayXpert declares that it has and keeps updated a series of protocols and work processes in general and, in particular, regarding the management of Personal Data; Committing to disclose them among all those employees, staff and third parties with whom it works and have access to data. Likewise, PayXpert undertakes not to allow access or processing of files with personal data to personnel who have not received a copy of said documents.
- Incident Registry: PayXpert states that it has an Incident Registry that complies with what is specified in the Security Document and the proactiveness principles of the Controller, this registry being used by its personnel for the report of any incident related to the security of the information and personal data as well as any files with processing of personal data.
- Access Control: PayXpert states that it complies with the following measures regarding access control:
- Maintains an updated list of authorized users and accesses.
- Allows access only to authorized users according to the functions assigned to each of them.
- Establishes mechanisms that prevent access to data or resources with rights other than those authorized.
- Access are only granted by authorized personnel.
- Identification and Authentication: PayXpert in its access to personal data maintains the following security measures regarding the identification and authentication of users who will have access to said data:
- The identification and authentication is personalized.
- There is a procedure for assigning and distributing passwords, which imposes the use of robust passwords. Passwords are stored in an unintelligible way.
- The passwords are confidential (only known by the user).
- Passwords are changed very regularly and with time periods assigned that depend on the data that gets available with such access.
- Support Management: PayXpert has adopted the following security measures regarding media with personal data:
- Maintains a media inventory.
- Has established a labelling system according to the inventory system that also allows to identify the type of information they contain.
- Stores the authorized media in a restricted access area.
- Has established an authorization regime for the outputs of supports for its facilities, including outputs through e-mail.
- Adopts specific measures aimed at guaranteeing the confidentiality and security of personal data during transport and disposal of media.
- Security copies: PayXpert states that it has a backup system that guarantees the recovery of information (if necessary), and that the same is regularly tested.
- Non-Automated Files: Regarding the documents with personal data to which PayXpert has access, adopts the following measures:
- Keeps the documentation in filing cabinets, drawers or cabinets that have a system that hinder its opening.
- During the review or processing of documents, the person in charge of them must be diligent and guard it to avoid unauthorized access. Only authorized personnel have access to documents.
- If a documentation transfer occurs, security measures are adopted that prevent the loss or access by third parties to said documentation.
- Third party personnel: PayXpert has duly communicated these obligations to its staff, ensuring compliance with the applicable regulations. Also, and by virtue of the Data Protection Act 2018 UK and GDPR, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, all those responsible for processing on behalf of them have the appropriate contract for the processing signed, where there is the commitment of the latter to comply with the same legal minimums and with the measures outlined by the Controller in terms of management and protection in the processing of Personal Data.
We store the user’s Personal Data on secure servers, protected against the most common types of attacks, located in France and Spain.
However, and since there is no invulnerable technology, the user must also put the means at their disposal to maintain the level of security of their data, through the use of robust passwords, the periodic modification of their passwords, avoiding using the same in diverse accounts as well as avoiding taking note of them in any physical or unencrypted medium.
PayXpert uses up-to-date technologies to protect your personal data and information, striving for the strictest confidentiality and application of technical tools for technical and organizational information security (passwords, physical security, data encryption, etc.) that correspond according to the applicable legislation, as well as keeping at all times the security document with the regulatory measures established.
9. Transfer of personal data outside the EEA
It is possible that the data we collect when you use our platform or services may be transferred to other countries. This is for example the case if some of our service providers are located outside the European Economic Area.
In the event of such a transfer, we guarantee that it will be carried out:
- To a country ensuring an adequate level of protection, i.e. a level of protection equivalent to what the European Regulations require.
- Within the framework of standard contractual clauses.
- Within the framework of internal company rules.
10. Transfer of data to third parties
PayXpert informs the users that their personal data will not be transferred to third parties or organizations, with the exception that said transfer of data is covered by a legal obligation or when the provision of the service implies the need for a contractual relationship with service providers responsible for the processing. In the latter case, only the transfer of data to the third party will take place when PayXpert has the consent of the user and maintains a contractual relationship with the person in charge of the processing that guarantees its confidentiality and compliance.
If PayXpert is approached by the relevant authorities, it may communicate personal information to respond to legal requirements, the criminal investigation of possible illegal activity.In such cases, PayXpert may communicate to the competent authorities personal information such as name and surname, city or province, postal code, telephone number, email address, user history and address IP.
11. Prohibition to users to transfer data from third parties
PayXpert expressly prohibits the user from sharing, facilitating or transferring data of third parties to anyone, which may be obtained as a result of contact, interaction or browsing performance or consultation through this website, unless it could accredit the express authorization of the user whose data is intended to transfer.
We remind users that the definition of data incudes both text and image files of people in different formats. The personal image data is protected by these regulations. No one can use it without the express consent of the person who appears in it.
As a user, you acknowledge that you assume your responsibility and hold PayXpert blameless against any possible claim, penalty, fine or sanction that may be required to be borne as a result of the breach by the user of the described duty.
12. Comments and social networks
The data included in the form to make comments on this website may be read by third parties, and the name and other data may be read, once a comment is approved. If you make comments on the website of PayXpert, you consent to the display of the comment and the data you use to assign such comment on its completion.
PayXpert actively works channels on social networks with the main purpose of publishing and disseminating information about the services provided through the website of PayXpert, interact with users and serve as a channel of attention and social interaction.
In the event that you access this website using an application that connects a social network with this website, you are authorizing the social network to share some data with PayXpert. It is important to know that if you have geolocated your accounts in social networks said information of your location when sharing in networks will be visible to third parties with whom you share your information.
For more information about the method by which data is shared with social networks, we recommend that you check the privacy policies of each social network in question, as well as responsibly configure your profile in social media accounts and email applications to guarantee your privacy and security.