PayXpert Privacy Policy


1. Introduction

PayXpert takes privacy and data protection issues seriously. We have designed this Privacy Policy to explain how any Personal Data that is being collected or processed within the scope of PayXpert activities will be protected by us in compliance with applicable laws and regulations regarding the Processing of Personal Data and Sensitive Personal Data.
 

Please read the following carefully to understand PayXpert policy and commitments regarding your Personal Data on how we collect and process it. The use of this website implies the acceptance of this Privacy Policy. Additionally, by submitting your personal information, you acknowledge that PayXpert will hold and use it in accordance with this policy.

PayXpert guarantees the confidentiality and privacy of the Personal Data collected and processed, having implemented appropriate methods and procedures, such as security measures to prevent alteration, loss, processing or unauthorized access as well as appropriate governance and control structures, to ensure the integrity and security of personal data, in accordance the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”), as well as, where applicable, the Data Protection Act 2018, the UK’s implementation of GDPR , by providing the necessary technical means to prevent any alteration, loss, access without authorization or misuse of the data processed.

PayXpert will not be responsible for inconsistencies in Personal Data when it is derived from an attack or unauthorized access to the systems in such a way that it is impossible to detect by the security measures implemented or when it is due to a lack of diligence of the user in terms of the guard and custody of their access passwords or their own personal data.

As a user you accept and guarantee that the Personal Data you provide is true, being the only person responsible for any damage or loss, direct or indirect, that could be caused to PayXpert as responsible for this website or third party, if you fill in any form with false information or third parties causing deception, damage, or injury. Please inform us of any variation that may occur in the data provided by sending an email to externalisation@dpo-consulting.com 

2. What personal data do we collect

By using our website, [or by subscribing to our services/association] you provide us with a certain amount of information about yourself, some of which may identify you (“Personal Information”). This is the case when you browse our site, when you fill in online forms, or simply when you become a member.

The nature and quality of the Personal Data collected about you will vary depending on the relationship you have with PayXpert and may include the following: 

  • Identification data: This includes all information that would allow us to identify you, such as your name, first name, telephone number. We may also collect your e-mail address, as well as your postal address (in case of payment, the postal address will be necessary to generate an invoice).
    In case of subscription, a proof of identity may also be requested.
  • Authentication data: This is all the information we need to access your personal account, such as a password, and other information necessary to authenticate and access an account. We also collect your IP address for maintenance and statistical purposes.
  • Financial data: this corresponds to banking data such as bank details (direct debit or formalization of payments).
  • Documents  (PDF, Microsoft Office, Image) with titles, contents, folder names, or information related to a document, such as comments written in the documents, alerts and reminder dates. 
  • Browsing information: by browsing our website, you interact with it. As a result, some information about your browsing is collected. 
  • Data collected from Third Parties: Personal Data that you have agreed to share with us or on publicly available social networks and/or that we may collect from other publicly available databases.

3. Why do we collect your personal information?

We collect your Personal Data for specific purposes and on legal grounds.

In the context of the execution of the contract or pre-contractual measures, your data is processed for the following purposes:

  • Customer relation management purpose

With  your consent, your data is processed for the following purposes:

  • Statistical purposes (periodic realization of analysis studies of the web),
  • Prospecting purposes,
  • Cookies for marketing purposes

Within the framework of the legal and regulatory obligations to which PayXpert is subjected, your data can be used for:

  • AML/CFT purposes

We process your Personal Data based on PayXpert legitimate interest for the following purposes:

  • Answer to the request,
  • Manage your account

4. Do we share your personal data?

Your Data is intended for the authorized PayXpert employees in charge of the management and the execution of the contracts and legal obligations, according to the purposes of the collection and within the limits of their respective roles.  

Your Data may be transmitted for certain tasks related to that purpose, and within the limits of their respective missions and authorizations, to the following recipients:

  • Entities of PayXpert within the framework of the  outsourcing of activity to another entity of the Group. 
  • Service providers and data processors that we use to carry out a range of operations and tasks on our behalf, including Data hosting centers and commercial partners,  only when you have expressly consented to this through a checkbox on our Data collection forms.
  • Duly authorized public authorities (judicial, control…), in the framework of our legal and regulatory obligations.
  • Regulated professions (lawyers, bailiffs, etc…) who may intervene in the context of the implementation of guarantees, collection, or litigation.
  • Banks and financial entities.

When your data is provided to our service providers and data processors, they are also required not to use the data for purposes other than those originally intended. We make every effort to ensure that they maintain the confidentiality and security of your Data. 

In all cases, only the necessary data is provided. We make every effort to ensure the secure communication or transmission of your data. 

We do not sell your data.

5. How long do we keep your personal Data?

We retain your Personal Data only for as long as is necessary to fulfill the purpose for which we hold the Data and to meet your needs or our legal obligations.

Retention times vary depending on several factors, such as:

  • PayXpert business needs.
  • Contractual requirements.
  • Legal requirements.
  • Recommendations from regulatory authorities.

The retention periods for your Data are as follows:

Purposes

Retention periods

Customer relation management

 Five years from the contract termination

Prospecting

 Three years from the last contact  

Statistical

 6 months

Data coming from Cookies

Two years

AML/CFT purposes

The time required to the business relationship and the retention period provided for by tax and anti-money by tax and anti-money laundering legislation which concerns the limitation of liability

Answer to the request

The time required for the business relationship

Manage your account.

One year from the account deletion

6. Exercise of rights

At any time, the user can modify their preferences in regards to  receiving  commercial communications, as well as exercise at all times their rights of access, rectification, erasure and to be forgotten, object, portability and limitation in, by contacting PayXpert provided by post to the address:    

PayXpert LTD
30 Churchill Place, London, England, E14 5RE

OR

PayXpert Spain SL
Avenida Diagonal 440, 7th floor, 08028, Barcelona, Spain

PayXpert has appointed an internal Data Protection Officer (DPO), who can be contacted at the following e-mail address for any questions relating to the processing of personal data: externalisation@dpo-consulting.com

You can also make use of the processes  and forms to exercise these rights made available by the supervisory authorities.

The regulations provide Data Subjects with the following rights:

  1. Right to information: the right to have clear, precise, and complete information on the use of Personal Data by PayXpert.
  2. Right of access: the right to obtain a copy of the Personal Data that the Data Controller holds on the applicant.
  3. Right to rectification: the right to have Personal Data rectified if they are inaccurate or obsolete and/or to complete them if they are incomplete.
  4. Right to erasure / right to be forgotten: the right, under certain conditions, to have the data erased or deleted, unless PayXpert has a legitimate interest in keeping it.
  5. Right of opposition: the right to object to the Processing of Personal Data by PayXpert for reasons related to the particular situation of the applicant (under conditions).
  6. Right to Withdraw Consent: the right at any time to withdraw Consent where Processing is based on Consent.
  7. Right to restriction of processing: the right, under certain conditions, to request that the Processing of Personal Data be temporarily suspended.  
  8. Right to Data Portability: the right to request that Personal Data be transmitted in a reusable format that allows it to be used in another database.
  9. Right to Avoid Automated Decision-Making: the right of the applicant to refuse fully
    authorized decision-making and/or to exercise the additional safeguards offered
    in this regard.

Additional rights may be granted by the local regulations to Data Subjects.

To this end, PayXpert has implemented a procedure for the management of individuals’ rights in accordance with the requirements of the applicable legislation. This procedure establishes:

  • The standards to be respected to ensure the transparent information of the data subject
  • Legal requirements that must be met
  • The authorized means of applying for each right, depending on the category of Data Subjects
  • The business processes for handling these requests in accordance with the above requirements
  • The stakeholders involved in these processes, their roles and responsibilities.

When you send us a request to exercise a right, you are asked to specify as far as possible the scope of the request, the type of right being exercised, the Personal Data Processing concerned, and any other useful information, in order to facilitate the examination of your request. In addition, in case of reasonable doubt, you may be asked to prove your identity.

You also have the right to file a complaint to your local supervisory authority.

7. Security Measures Applicable to the Processing of Personal Data

  • Risk: According to the data required from users and according to the activity of the Processor, a Risk Analysis/Assessment has been carried out regarding the processing of the data, evaluating them, graduating them and taking those measures for an adequate protection and security.
  • Scope of Application of Technical and Organizational Security Measures: PayXpert states that it applies the necessary technical and organizational measures for adequate protection, confidentiality, integrity, resilience and security under of the proactivity criteria required by the Data Protection Act 2018 UK and GDPR, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, to the functions described in this privacy policy.
  • Security Document: PayXpert states that it has a Security Document, in accordance with the aforementioned Risk Analysis and the criteria and principles of the Data Protection Act 2018 UK, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
  • Protocols: PayXpert declares that it has and keeps updated a series of protocols and work processes in general and, in particular, regarding the management of Personal Data; Committing to disclose them among all those employees, staff and third parties with whom it works and have access to data. Likewise, PayXpert undertakes not to allow access or processing of files with personal data to personnel who have not received a copy of said documents.
  • Incident Registry: PayXpert states that it has an Incident Registry that complies with what is specified in the Security Document and the proactiveness principles of the Controller, this registry being used by its personnel for the report of any incident related to the security of the information and personal data as well as any files with processing of personal data.
  • Access Control: PayXpert states that it complies with the following measures regarding access control:
    • Maintains an updated list of authorized users and accesses.
    • Allows access only to authorized users according to the functions assigned to each of them.
    • Establishes mechanisms that prevent access to data or resources with rights other than those authorized.
    • Access are only granted by authorized personnel.
  • Identification and Authentication: PayXpert in its access to personal data maintains the following security measures regarding the identification and authentication of users who will have access to said data:
    • The identification and authentication is personalized.
    • There is a procedure for assigning and distributing passwords, which imposes the use of robust passwords. Passwords are stored in an unintelligible way.
    • The passwords are confidential (only known by the user).
    • Passwords are changed very regularly and with time periods assigned that depend on the data that gets available with such access.
  • Support Management: PayXpert has adopted the following security measures regarding media with personal data:
    • Maintains a media inventory.
    • Has established a labelling system according to the inventory system that also allows to identify the type of information they contain.
    • Stores the authorized media in a restricted access area.
    • Has established an authorization regime for the outputs of supports for its facilities, including outputs through e-mail.
    • Adopts specific measures aimed at guaranteeing the confidentiality and security of personal data during transport and disposal of media.
  • Security copies: PayXpert states that it has a backup system that guarantees the recovery of information (if necessary), and that the same is regularly tested.
  • Non-Automated Files: Regarding the documents with personal data to which PayXpert has access, adopts the following measures:
    • Keeps the documentation in filing cabinets, drawers or cabinets that have a system that hinder its opening.
    • During the review or processing of documents, the person in charge of them must be diligent and guard it to avoid unauthorized access. Only authorized personnel have access to documents.
    • If a documentation transfer occurs, security measures are adopted that prevent the loss or access by third parties to said documentation.
  • Third party personnel: PayXpert has duly communicated these obligations to its staff, ensuring compliance with the applicable regulations. Also, and by virtue of the Data Protection Act 2018 UK and GDPR, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, all those responsible for processing on behalf of them have the appropriate contract for the processing signed, where there is the commitment of the latter to comply with the same legal minimums and with the measures outlined by the Controller in terms of management and protection in the processing of Personal Data.

8. Security

 

We store the user’s Personal Data on secure servers, protected against the most common types of attacks, located in France and Spain.

However, and since there is no invulnerable technology, the user must also put the means at their disposal to maintain the level of security of their data, through the use of robust passwords, the periodic modification of their passwords, avoiding using the same in diverse accounts as well as avoiding taking note of them in any physical or unencrypted medium.

PayXpert uses up-to-date technologies to protect your personal data and information, striving for the strictest confidentiality and application of technical tools for technical and organizational information security (passwords, physical security, data encryption, etc.) that correspond according to the applicable legislation, as well as keeping at all times the security document with the regulatory measures established.

9. Transfer of personal data outside the EEA

It is possible that the data we collect when you use our platform or services may be transferred to other countries. This is for example the case if some of our service providers are located outside the European Economic Area.

In the event of such a transfer, we guarantee that it will be carried out:

  • To a country ensuring an adequate level of protection, i.e. a level of protection equivalent to what the European Regulations require.
  • Within the framework of standard contractual clauses.
  • Within the framework of internal company rules.

10. Transfer of data to third parties

 

PayXpert informs the users that their personal data will not be transferred to third parties or organizations, with the exception that said transfer of data is covered by a legal obligation or when the provision of the service implies the need for a contractual relationship with service providers responsible for the processing. In the latter case, only the transfer of data to the third party will take place when PayXpert has the consent of the user and maintains a contractual relationship with the person in charge of the processing that guarantees its confidentiality and compliance.

If PayXpert is approached by the relevant authorities, it may communicate personal information to respond to legal requirements, the criminal investigation of possible illegal activity.In such cases, PayXpert may communicate to the competent authorities personal information such as name and surname, city or province, postal code, telephone number, email address, user history and address IP.

If PayXpert is transferred, absorbed or merged with another entity, we undertake to agree on the subrogation and commitment of the new managing entity responsible for the processing of personal data for the continuation of this Privacy Policy warning of the commitment that if the personal information is going to be used contrary to this policy then the user must be previously notified. In any case, and as a result of the operation, the user will also be transferred so that the user can renew or, if applicable, revoke the consent previously granted.

11. Prohibition to users to transfer data from third parties

 

PayXpert expressly prohibits the user from sharing, facilitating or transferring data of third parties to anyone, which may be obtained as a result of contact, interaction or browsing performance or consultation through this website, unless it could accredit the express authorization of the user whose data is intended to transfer.

We remind users that the definition of data incudes both text and image files of people in different formats. The personal image data is protected by these regulations. No one can use it without the express consent of the person who appears in it.

As a user, you acknowledge that you assume your responsibility and hold PayXpert blameless against any possible claim, penalty, fine or sanction that may be required to be borne as a result of the breach by the user of the described duty.

If you provide us with personal data of other people, you must do so with their consent and having previously informed them of the points contained in this Privacy Policy.

12. Comments and social networks

The data included in the form to make comments on this website may be read by third parties, and the name and other data may be read, once a comment is approved. If you make comments on the website of PayXpert, you consent to the display of the comment and the data you use to assign such comment on its completion.

PayXpert actively works channels on social networks with the main purpose of publishing and disseminating information about the services provided through the website of PayXpert, interact with users and serve as a channel of attention and social interaction.

In the event that you access this website using an application that connects a social network with this website, you are authorizing the social network to share some data with PayXpert. It is important to know that if you have geolocated your accounts in social networks said information of your location when sharing in networks will be visible to third parties with whom you share your information.

For more information about the method by which data is shared with social networks, we recommend that you check the privacy policies of each social network in question, as well as responsibly configure your profile in social media accounts and email applications to guarantee your privacy and security.

Below we link the Privacy Policy of social networks where we have an open profile at this time:

13. Cookies

In the link “Cookies Policy” we inform you that this website of PayXpert can use cookies (small files of information that the server sends to the user’s computer that accesses this website) to  perform certain functions that are considered essential for the proper functioning and visualization of the site, to share on social networks and, in some cases, to perform analysis of evaluation statistics and improvement proposals as well as for marketing purposes.

In order to obtain these analyses, this website can store certain information in the server’s registers automatically through the use of cookies that collect usage and navigation data related to the use of this website by you as a user. These records usually include information such as browser type, browser language, date and time of access request, URL, computer or device model, operating system version, unique identifiers (IP) and data on the mobile network used in accessing and browsing this website.

The IP is considering a Personal Data, in the sense that its situation could be investigated, and the device and its location identified if necessary at the request of the competent authorities. PayXpert uses cookies that record IP addresses when accessing and browsing this website to analyse and measure access and time spent on the different pages of this website, and draw conclusions about the trend of web traffic. 

It is convenient for you as a user to know that we use tools and internet platforms that set cookies that are not under our control, so it is possible that the owners of these tools use this data for other purposes, for which PayXpert is not responsible. For this reason, it is advisable that you read the Cookies Policy of this website to know which are our own, which are third-party, which are permanent, temporary or session; and can decide to uninstall those that consider appropriate, since it will not affect much the result,  browsing experience. In the Cookie Policy, you will find the shortcuts that will allow you to modify the configuration of your computer or device, deactivating or eliminating cookies should you prefer to do so. 

14. Modification

PayXpert reserves the right to modify this Privacy Policy at any time to comply with any  changes in  applicable legislation, Payxpert’s data protection strategy or internal risk exposure. Any such change will be published on this website including the date of the last applicable update. 

Privacy Policy updated for the last time 09th February 2023.

Scroll to Top