1. Who are we?
Pionew UAB (“Pionew”, “Company”, “we” or “us”) respects the privacy of the users of our payment processing services, and is committed to protect the Personal Data that users share with us in connection with the use of our services (the “Service”).
The Service may contain links to external websites, such as our partner websites, websites promoting our Service, etc. When you follow links to any of these websites, please note that these sites and the services accessed through them have their own separate privacy policies and that we assume no responsibility or liability for these policies or for the collection of Personal Data on these sites. Before submitting Personal Data to there or using related services, it is important to review their privacy policies.
2. From whom do we collect Personal Data?
(a) Users: Individuals whose information we process to:
- Provide the Service to our Customers pursuant to our agreements with them; or
- Provide the Service directly to our Users via an e-money account or service account; this includes Users registering on behalf of an organization; or
- Fulfill regulatory objectives, prevent illegal activities and to comply with applicable laws.
(b) Customers: Those who register on their own or on behalf of an entity or organization to use the Company’s Service, including merchants and operators of the Exchanges. For the avoidance of doubt, Customers do not include Users.
(c) Other persons, including the ones who subscribe to direct marketing materials, apply to various job positions offered by us, acts as a representative of our partners, etc.
3. How do we use your Personal Data and what principles do we keep?
We collect and process only such Personal Data as it is necessary to achieve the Personal Data processing purposes we have specified. When processing your Personal Data:
- We comply with the requirements of current and applicable legislation, including the GDPR;
- We process your Personal Data in a lawful, fair, and transparent manner;
- We collect your Personal Data for specified, clearly defined and legitimate purposes and do not process them in a way incompatible with those purposes, except to the extent permitted by law;
- We take all reasonable steps to ensure that Personal Data being inaccurate or incomplete, in accordance with the purposes for which they are processed, would be rectified, supplemented, suspended, or destroyed without delay;
- We hold Personal Data in such a form that your identity can be established for no longer than is necessary for the purposes for which the Personal Data are processed;
- We ensure that your Personal Data is processed securely, that we ensure technical and organizational security measures, as well as that we provide access to Personal Data only to those of our employees who need such access due to their work functions.
4. How Do We Collect Personal Data?
We use the following methods of collection:
(a)Through your use of the Service and/or the transactions carried out in connection with the Service. In other words, when you are using the Service, including when you browse the Exchange(s), we collect and record the information relating to such usage, either independently or through the help of third-party services as detailed below.
(b)From our business partners – the Exchanges, and other partners. For example, when you return to the Exchange, such Exchange may provide us with your contact information (such as name, address, and date of birth), as well as usage information regarding your previous visits to its website(s) (for example, the User’s balance, previous logins, and previous transactions).
(c)Through publicly available sources. For example, we collect certain information about you through your publicly available credit card blacklists and official limited bank account lists, and other online public information.
- From third-party services. For example, we may collect some data when we use third-party services to provide our Service and prevent fraud.
- Information which you provide us. For example, we collect Personal Data required to use the Service that you provide to us by completing the registration form, the onboarding process (if you register as the Customer) and/or contacting us directly.
- When your Personal Data, with your consent, is provided to us by other persons, including companies using our Service. For example, when such companies indicate your contacts, refer to you as an authorized person, etc.
The person providing Personal Data to us is responsible for the correctness, completeness, and relevance of such Personal Data, as well as for the consent of the person whose data is provided to submit his/her Personal Data to us. We may ask you to confirm that the person has the right to provide us with Personal Data (for example, by filling in service order or registration forms). If necessary (e. g. a person inquires us about receiving his/her Personal Data), we will indicate the provider of such Personal Data.
5. What Personal Data are we processing?
We process your Personal Data for the following purposes and under the following conditions:
|Purpose of the processing of Personal Data||Personal data being processed||Personal Data processing period||Legal basis for the processing of Personal Data|
|Registration, use of account, user identification, provision of Service (individuals)||Name, surname, username, e-mail, password, phone number, personal identity code, date of birth, country of birth, address, address for correspondence, nationality, citizenship, gender, passport/ID card copy and its details (e. g. type, number, issuance place and date, expiry date, signature), selfies, IP address, device geographical location, KYC questionnaire, details of user’s bank accounts and payments, Service and account usage history, monetary operations, information on sources of income and wealth, tax data, Wallet ID, information about the Service ordered and used and changes therein, data on PEP’s, other information required by law.||Personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania up to 8 (eight) years as of the transaction/termination of the Company’s relationship with the user. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority. –||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR). Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
|Registration, use of account, user identification, provision of Service (corporate)||Name, former name (if changed), trading name or doing business as, name and surname of representative of the customer (if any), names and surnames of all directors of the customer, including board members, supervisory council, names and surnames of ultimate beneficial owners of the customer (if any), names and surnames of persons with access right to the customer’s account at the Company, titles of general and limited partners (in case of partnerships), names, surnames, titles of main partners, citizenship, date of birth, declaration on connection with politically exposed persons of all above mentioned persons, gender of all natural persons, business registration address, business operational address, registration number, incorporation date, extract of registration and its date of issue, company’s status, proof of address for each UBO and customer’s representative (who acts under PoA), ID/Passport of UBO and representative persons and authorized persons to account, records of remote identification and verification of legal entity’s representative, records of remote identification and verification of legal entity’s persons who have access to its account, power of attorney (if applicable), representatives personal code (if applicable); e-mail; phone number and residence address. Information obtained via KYC questionnaire: number of employees, main business activities, business activities countries, authorized capital, last year turnover, planned turnover for next year, purpose of intended business relationship, source of incoming funds, anticipated monthly turnover, anticipated monthly count of transactions, any other document/ information on ad hoc basis.||Personal data collected for the implementation of the obligations under the Law on Money Laundering and Terrorist Financing Prevention shall be stored in accordance with the Law on Prevention of Money Laundering and Terrorist Financing of the Republic of Lithuania up to 8 (eight) years as of the transaction/termination of the Company’s relationship with the user. The retention period may be extended for a period not exceeding 2 (two) years, provided there is a reasoned request from a competent authority.||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR). Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
|Other payments activity, Buy/Sell Crypto||Payments in fiat information: amounts and currency, external IBANs, purpose of transactions. Payments in crypto information: amounts and currency, wallet address. name and Surname; Selfies, ID or passport, billing address, phone number, email address, IP address, device geographical location, credit/debit cards info: first 6 and last 4 digits, BIN country, BIN bank.||From 3 to 8 years from the date of execution of the payment transaction.||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Legitimate interests of the data controller or a third party (risk assessment) (Article 6(1)(f) GDPR).|
|Chargeback||Name and surname, POID document, billing address, email, phone number, account number, IP address, device geographical location, wallet address, payment amount and currency, Zendesk tickets, device ID, chargeback request and other related information and proof.||The entire period of the dispute/claim and 5 years after the end of the out-of-court dispute /claim.||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR).|
|Execution of financial operations, accounting, debt management.||Name, surname, e-mail, phone number, position, place of work, address, relationship with the represented legal entity, account number, credit institution, payment information, debt information, data transferred by the company collecting the contributions and confirmations of payments.||According to the regulatory legal acts, as well as in accordance with the Index of General Document Storage Periods Approved by order No. V-100 of the Chief Archivist of the Republic of Lithuania of 9 March 2011. When the data does not fall within the above-mentioned storage area – the period of validity of the contract/cooperation between the parties and 10 years after the end of the contract/relationship (last contact).||Data processing is necessary for the conclusion and performance of the contract (Article 6(1)(b) GDPR). Data processing is necessary for to fulfil a legal obligation imposed on the data controller (Article 6(1)(c) GDPR). Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR) .|
|Evaluation and selection of candidates for the offered job.||Name, surname, e-mail, phone number, address, education and activity data, content of the CV, other information required for the selection/evaluation of the candidate or provided by the candidate.||The selection period and 3 months after the selection if the candidate’s consent to the retention of data after the selection has been obtained. When data are received not for a specific selection, they shall be stored for 3 months after the date of their receipt.||Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR). Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR).|
|Sending news, conducting surveys, direct marketing, advertising.||Name, e-mail address, phone number, the data requested in the survey announcement/ questionnaire.||Data is processed for 1 year from the receipt of consent, unless you revoke your consent earlier.||Consent of the data subject to the processing of such data (Article 6(1)(a) GDPR).|
|Settlement of disputes and claims.||Name, surname, workplace address, workplace position, contact with the represented legal entity, phone number, e-mail, the content of the claim or other similar document, information/documents related to the dispute/claim.||The entire period of the dispute/claim and 5 years after the end of the out-of-court dispute /claim resolution and 10 years after the end of judicial proceedings.||Data processing is necessary for to fulfil a legal obligation imposed on the data controller (Article 6(1)(c) GDPR). Legitimate interests of the data controller or a third party (Article 6(1)(f) GDPR)|
In Social Accounts we can share information about ourselves, our content, events, news, surveys, as well as information about the employees we are looking for. Social accounts users are also subject to the privacy policies of the social networks owners. When you contact us on Social Accounts, depending on the privacy settings you choose, we may see certain user account information such as profile first name, surname, image, sex, e-mail address, location, etc. (the list is not exhaustive). If a user posts information by communicating with us on our Social Accounts (e. g. posts a comment in the comments section of our Social Account or posts a message on our Social Account profile), depending on the privacy settings chosen, the posted information may be made public (for example, visible on our Social Account to other users).
When providing our Service, we may, in certain cases, apply automated data decision-making, for example to prevent fraud, to ensure compliance with AML/CTF policies, etc. Automated decision-making refers to the processing of Personal Data using, for example, a software code or algorithm that does not require human intervention. We regularly review the criteria and models used in automated decision-making to ensure their integrity, efficiency, and impartiality. You may always ask for a revision of such automated decisions.
6. Do we share your Personal Data?
Our business partners, suppliers, sub-contractors, or agents who perform services for it, or consultants such as auditors, lawyers, tax advisors, analytics and search engine providers that assist us in the improvement and optimization of the Platform, etc., as well as the Personal Data Processors we use, such as ancillary service providers, IT companies, advertising and marketing companies, accounting companies, etc. We require data processors to store, process and treat Personal Data as responsibly as we do and only in accordance with our instructions.
We normally process Personal Data within the EEA, but in some cases your Personal Data may be transferred outside the EEA. The Company will always take steps to ensure any transfer of such information to entities based outside the EEA is carefully managed to protect your rights and interests by implementing Appropriate safeguards to protect Personal Data.
Your Personal Data will only be transferred outside the EEA under the following conditions:
- Data are transferred only to our reliable partners who ensure the provision of our services to you;
- EU Standard Contractual Clauses Approved by the European Commission, which ensure the security of transfers of your Personal Data, have been signed with such partners;
- The Commission of the European Union has decided on the eligibility of the country in which our partner is established, i.e., an adequate level of security is ensured;
- You have given your consent to the transfer of your Personal Data outside the EEA; or
- A special permit of the State Data Protection Inspectorate of the Republic of Lithuania was obtained to carry out such transfer.
To use the Service, you must be over the age of eighteen (18). Company does not knowingly process Personal Data from children under the age of eighteen (18) and does not wish to do so. We reserve the right to request proof of age at any stage so that we can verify that minors under the age of eighteen (18) are not using the Service. If it comes to our knowledge that a person under the age of eighteen (18) is using the Service, we will prohibit and block such User from accessing the Service and will take appropriate measures to prevent that User from making use of our Service.
8. Tracking technologies
When you access or use the Service, we may use (and authorize third parties to use) industry-wide technologies such as cookies or similar technologies, including web beacons, pixel tags, scripts, tags and other technologies that store certain information on your computer (“Local Storage”) and which will allow us to enable automatic activation of certain features, and make your Service experience much more convenient and effortless (collectively “Tracking Technologies”). These Tracking Technologies allow us and third parties to automatically collect information about you (such as your IP address, device unique identifiers and your online behavior), to enhance your navigation on our Site, improve our Site’s performance and customize your experience on our Site, as well as for advertising and fraud prevention purposes. We also use this information to collect statistics about the usage of our Service, perform analytics, deliver content which is tailored to your interests.
9. Direct marketing
With your consent (only), we may use your Personal Data for direct marketing purposes to provide you with newsletters, offers and information about our Service, as well as to inquire about the quality of our performance.
The above content can be sent by e-mail, messages to the phone number specified by you, as well as messages in your account in the Platform or Site. Your contacts may be transferred to our partners who provide us with news sending or quality assessment services.
After sending such content, we can collect information about the people who received it, for example, which message people opened, what links they clicked on, etc. Such information is collected to offer you relevant and more tailored news and content.
Even if you have given your consent to the processing of Personal Data for direct marketing purposes, you can easily withdraw this consent for all or part of the Personal Data processing activities at any time. To do this, you can:
- notify us of your withdrawal in the manner specified in the provided message (e. g. by clicking on the “unsubscribe” link in the newsletter, etc.); or
- send us a notification. If you so request withdrawal of consent, we may ask you to verify your identity.
If you withdraw your consent, we will try to stop sending such content to you immediately.
Withdrawal of consent does not automatically oblige us to destroy your Personal Data or provide you with information about the Personal Data processed by us, therefore, for these actions you should submit a separate request.
10. Your rights
As a data subject, you have the following rights regarding your Personal Data:
- To know (to be informed) about the processing of your Personal Data (right to know);
- To access your Personal Data and the way they are processed (right of access);
- To request the correction or, depending on the purposes of the processing of Personal Data, supplementation of incomplete Personal Data (right to rectification);
- To request the erasure of your Personal Data or the suspension of your Personal Data processing activities (excluding storage) (right to erase and right to “be forgotten”);
- To request us to restrict the processing of Personal Data for one of the legitimate reasons (right to restrict);
- The right to transfer data (right to transfer). This right may be exercised only if there are grounds for its exercise and appropriate technical measures to ensure that the transfer of the requested Personal Data does not pose a risk of security breach to the data of other Data Subjects;
- The right to object the processing of your Personal Data when we process Personal Data based on a legitimate interest of the Company or a third party, including profiling. If you object, we will only be able to further process your Personal Data for compelling legitimate reasons that take precedence over your interests, rights, and freedoms, or to make, enforce or defend legal claims;
- Revoke your consent to the processing of your Personal Data when this data is processed or intended to be processed for direct marketing purposes, including profiling as far as such direct marketing is concerned (based on the Personal Data you provide, profiling may be carried out for direct marketing purposes to offer you individually tailored solutions and proposals. You can revoke your consent to the processing of Personal Data by automated processing, including profiling, or object to it at any time).
We may refuse to exercise your rights listed above, except for refusal to process your Personal Data for direct marketing purposes, competitions or in other cases when Personal Data is processed with your consent, when your request is allowed to us not to comply with the provision of the GDPR, or when, in cases provided for by law, it is necessary to ensure the prevention, investigation and detection of crimes, violations of official or professional ethics, as well as the protection of the rights and freedoms of the Data Subject, us and other persons, or when the Company has a legitimate interest.
You may submit any request or instruction related to the processing of Personal Data to us in writing.
When submitting such a request, we may ask you to fill in the necessary forms, as well as provide an identification document or other information that will help us to verify your identity, to better understand the content of your request. Upon receipt of your request or instruction regarding the processing of Personal Data, no later than within 1 month from the date of the request, we will provide a response and perform the actions specified in the request or inform you why we refuse to perform them. If necessary, the specified period may be extended by a further 2 months, considering the complexity and number of requests. In such a case, within 1 month from the date of receipt of the request, we will inform you of such extension.
If Personal Data is deleted upon your request, we will only store copies of information that are necessary to protect our legitimate interests and those of others, to comply with the obligations of law, to resolve disputes, to recognize interference or to comply with any agreements you have entered with us. Please note that these rights are not absolute, and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations (such as AML/CTF regulations).
11. How do we secure your Personal Data?
We take great care in implementing and maintaining the security of the Service and safeguarding any Personal Data we process. Personal Data, trusted to us, is hosted on Amazon Web Service and Google Cloud Service, which provides advanced security features. Company employs industry standard procedures and policies to ensure the safety of the Personal Data processed and to prevent unauthorized use of any such information. Please note that while we take reasonable measures to safeguard your Personal Data, we cannot fully guarantee its absolute security.