Privacy notice

Preamble

The commercial company CORVUS PAY d.o.o., Zagreb, Buzinski prilaz 10 [hereinafter: »the Company«] places particular importance on the data and privacy protection of visitors of the webpage www.corvuspay.com by applying the highest technical, security, and organizational protection measures, as well as its users, all pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [»General Data Protection Regulation«].

The purpose of the Policy is to provide clear information to users of the Company’s services on the processing and protection of their personal data in the Company, and enable them to monitor and manage their personal data and consents.

This Policy does not diminish the rights nor does it establish obligations to service users with regard to the processing of personal data which they have pursuant to valid regulations and possible contractual provisions on personal data protection.

1. Information regarding the controller and the processor

CORVUS PAY d.o.o. with registered office in Zagreb, Buzinski prilaz 10, Personal Identification Number (PIN) 67770246314, registered at the Court Registry of the Commercial Court of Zagreb under the registry number of entry [MBS]: 081162658, that the controller [»Controller«] with regard to Personal data of its users in the meaning of the applicable regulations regarding data protection.

2. Data Protection Officer

The Company has appointed the Data Protection Officer pursuant to the provision of Article 37 of the General Data Protection Regulation.

For all matters relating to the processing of personal data and/or realisation of the rights regulated by the General Data Protection Regulation, as stated in Item 10 of the Policy, you can address the Data Protection Officer to the e-mail voditelj@corvuspay.com or in writing to the address of the Company with the note „attn. Data Protection Officer“.

3. Scope of application

The Policy refers to clients, potential clients and other natural persons whose personal data the Company collects on any legal ground (hereinafter jointly: Data Subjects).

The Policy is applied:

• to personal data which visitors of the webpage https://www.corvuspay.com/ and https://wallet.corvuspay.com/ enter when sending an inquiry via contact form;
• to personal data which potential employment candidates enter when filing out the application for a certain workplace;
• to personal data [name, surname, email, mobile phone number, address, postal code, city, payment card number, date of expiry of the payment card, control number of the payment card, IBAN], which the buyers/users of trader’s services have entered at the electronic point of sales of the traders, i.e. within the system which is controlled by the Company, while concluding agreements for the sale and purchase of goods and/or services with respective traders, in the purposes stated in Item 5 of the Policy, which are processed by the Company in the capacity of the Controller.

Personal data means any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, personal identification number [»PIN/OIB«], other identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity [hereinafter: »Personal Data«].

Data processing means any operation which is performed on personal data, such as collection, recording, storage, use, transmission of Personal Data and inspection of the Personal Data.

4. Principles relating to processing of personal data

Trust and transparency                 

The objective of the Company is to be a reliable partner to its clients – service users in the protection of their privacy and to justify the placed trust; also, to be entirely transparent with regard to Personal Data processing.

Lawfulness

During the processing of Personal Data, the Company conducts pursuant to the law and applies higher standards and the best European practice.

Purpose of the processing

The Company collects and processes Personal Data only for a certain and legal purpose, and does not process them further in a manner which is not in accordance with the purpose in which they were collected, unless it is otherwise stipulated by the law or on the basis of the consent of the client – service user.

Scale of data

The Company uses only such data of clients – service users which are adequate and necessary for achieving a certain legitimate purpose.

Confidentiality

The Company processes Personal Data in a secure way, including the protection from unauthorised or unlawful processing and from accidental loss, destruction, or damage [e.g., access to Personal Data have only authorised persons who find it necessary to perform their work, but not other workers.].

Quality of Personal Data

The Company places particular importance on the quality of data it processes. Personal Data which are being processed must be accurate, complete and up to date in order to ensure their maximal protection and prevent possible misuse.

Storage periods

Data are being stored and processed for no longer than is necessary to perform a certain legitimate purpose, unless if the valid regulations provide a longer or shorter period of storage for a certain purpose, or in other cases strictly stipulated by the law. After that, the data are deleted permanently or made anonymous.

5. Categories of Personal Data, purpose and legal grounds for processing

Visitors of the webpage of the Company enter their Personal Data voluntarily when sending inquiries via contact form so they could receive a reply, i.e., response to the mentioned inquiry. Legal ground for the processing of these Personal Data is the consent, with can be withdrawn at any moment by sending an email to the address voditelj@corvuspay.com.

Potential employment candidates also enter their Personal Data voluntarily when filling out the application for a certain workplace, for the purpose of submitting the application for the mentioned workplace. Legal ground for the processing of these Personal Data is the consent, with can be withdrawn at any moment by sending an email to the address voditelj@corvuspay.com.

When establishing a business relationship and/or conducting measures of due diligence, or for any other purpose, such as the conclusion of an agreement which regulates the use of certain services provided by the Company, master data are collected, such as name and surname, Personal Identification Number (PIN/OIB), data regarding the permanent residence, as well as the data on the identification document, as it is governed by the regulations in the area of prevention of money laundering and terrorist financing.

Buyers/users of services of the trader enter their Personal Data on an electronic point of sales for the purpose of:

• processing transactions initiated by the buyer/user of services on electronic points of sales;
• using the services of electronic storage of Personal Data for the purpose of simplifying the process of payment on electronic points of sale.

Buyers/users of services of the trader for the purpose of processing transactions also enter the control number of the payment card, however, the Company does not store it, but merely forwards it to the issuer of the payment card for the purpose of verifying the validity of the payment card or transaction processing.

Entry of all mentioned Personal Data is obligatory and is the prerequisite for transaction processing, without those entries the Company will not be able to provide the mentioned service, i.e., it will not be technically feasible.

Personal Data are stored and processed for no longer than is necessary for fulfilment of the agreement or services or certain legitimate purposes, notwithstanding the legally determined deadlines for storing [for instance: regarding the processing of transactions five years since the day of conducting a specific transaction, i.e., the debiting day, with regard to the use of service of electronic data storage, until the expiry of stored payment card if the buyer/user of services of traders does not request erasure of the storage even prior to that deadline].

By initiating transactions, the buyer/user of services of the trader agrees that the Company for the purpose of processing a transaction transfers Personal Data to the recipient, as well as to transfer to the trader upon authorisation of a specific transaction the Personal Data and a masked number of the payment card to the trader, except the control number of the card. The Company is obliged not to make the Personal Data available to third persons without prior consent of the buyer/user of the service, with the exception of abovementioned third persons and when it is demanded by applicable legal regulations. The mentioned third persons shall process the Personal Data solely for the abovementioned purposes.

The Company instructs the buyers/users to read the data protection policies of traders carefully because the Company cannot influence them with regard to other data regarding you which the traders have, as well as purposes and deadlines of processing; you must read their internal acts which they had to make available to you via their webpage.

It is important to emphasize that, besides all aforementioned data categories the Company automatically collects Personal Data from your computer, there are also situations in which we collect other types of information such as date and time of accessing the webpage, hardware and software information or information regarding the web browser which you use as well as    the operating system of your computer and the version of the application and your language settings. We can collect information on the clicking and your access to webpages displayed to you.

When you call our customer support, conversations are not being recorded, but during the processing of the inquiry, i.e., request, data processing occurs. The processing is necessary so we could process the request, i.e., answer your inquiry in the appropriate manner.

Buyers and users of our services often use web-based and mobile services, whereby the generation and processing of technical data is inevitable in order to provide you with the content you expect from us and so it could be displayed on your device. We call these data jointly “data on the device and access”. Data on the device and access are being created every time a web-based and mobile service is being used. It does not matter who the provider of services is. The data on the device and access are therefore created, for instance, when you use:

• web pages
• applications
• fanpages on social media
• when your interaction regarding the newsletter is recorded
• services based on location.

Therefore, on the one hand, the Company collects data on the devices and access from web-services and mobile services which itself offers, on the other hand, the Company collects data regarding the devices and access data from web-pages or mobile services of other companies, under the condition that those are social media or advertising partners connected with our Company or if they participate in the same networks of online advertising “).

Information on the device and access include the following categories:

– general information regarding the device, such as data on the type of device, operating system version, configuration settings (e.g., language settings, system authorisations), Internet connection information (e.g., name of the mobile network, connection speed) and the used application (e.g., name and version of the application).

– identification data (IDs), such as session ID, cookies ID, devices’ unique identification numbers (e.g., Google’s advertising ID, Apple Ad-ID), IDs of accounts of third-party providers (if you have social add-ons or social logins) and other usual Internet technologies so we could recognise your web browser, device or a certain application installation. For instance, if you activate the push service of notifications you will be assigned with a randomly generated unique push ID for identification. We will later send the push ID together with push notifications to the push server so it could send the notification to the correct recipient, i.e., your device.

Furthermore, the Company regularly publishes and shares content, offers and recommendations for our services and products on the social media. With your every interaction on the social media, operators, i.e., service providers of the social media record your behaviour by using cookies and similar technologies. Service providers, i.e., social media operators can view general statistics on the interests and demographic characteristics (such as age, sex, region) of the audience of a fanpage, therefore data processing occurs. If you use social media; the type, extent and purpose of data processing on the social media is primarily set by the social media operators so we kindly ask you to manage your settings on the social media. The Company shall process data within this processing only if you address us with a question or comment on a social media, participate in a giveaway programme etc. The Company cannot influence other related processing.

The Company sends its data subjects, i.e., users notifications regarding products, new services, new applications and similar (newsletter). Therefore, User who applies for receipt of product, new product and discounts notifications, by his double confirmation of correctness of the email address gives his consent for his data processing. The User can withdraw his consent at any moment by clicking on the link for deregistration from the mailing list, which is found at the bottom of each such notification. We certainly must emphasize that, besides the consent, the legal ground for sending notifications is a legitimate interest with regard to existing buyers/users and in the case that we send our offers to legal subjects, i.e., if it is a B2B relationship.

6. Technical and organizational measures to protect Personal Data

The Company applies various technical and organizational measures to protect Personal Data in order to ensure the appropriate level of security and prevent any accidental or unauthorised destruction of Personal Data, loss, alteration or disclosure, as well as unauthorised access and/or processing of Personal Data.

Data regarding payment cards are, due to their sensitive nature, collected and processed exclusively within the system under control of the Company, where they are subject to different levels of protection in accordance with the PCIDSS Standard, and are protected by powerful cryptographic methods. In any case, individual trader maintains formal control and ownership of collected Personal Data.

When handling Personal Data, the Company ensures security of communication and distribution channels, protection of information system resources from unauthorised physical access, theft, physical damage or destruction, protection from a malicious code, virus. Access to Personal Data is limited only to employees who need it for performing functions regarding a regular business process. During the payment process, Personal Data secrecy is protected and ensured by TLS encryption, i.e., the process of data encryption for the purpose of prevention of unauthorised access during their transmission. This enables a secure information transfer and prevents unauthorised access to data during communication between the computer of the buyer/user of services of traders and the Company’s system, and vice versa.

7. Method of Personal Data collection

Personal Data are being processed in accordance with the highest standards of the European Union, as well as the valid regulations of the Republic of Croatia.

The application of the laws of the Republic of Croatia will take precedence over the application of other rights, except in exceptional cases when otherwise agreed or valid regulations require a different application of the law.

8. Period of keeping of Personal Data

Personal Data are stored during the term of the contractual relationship with the Company, i.e., for as long as the consent of the Data Subject is valid, and during the time in which the Company is in legal obligation to keep certain data, in which case an active processing of Personal Data for other purposes shall not be enabled, but only their keeping [archiving] them for purposes provided by the law.

9. Where are Personal Data being processed

Personal Data are being processed in the Republic of Croatia or members of the European Union in which the registered office of the Processor of Personal Data is located.

If necessary, due to certain technical and operative reasons the Company reserves the right to transfer Personal Data to countries outside the European Union, with regard to the decisions of the European Commission on the adequacy or pursuant to appropriate protection measures or certain deviations determined by the General Data Protection Regulation. In the case of the transfer of Personal Data to third countries, if the decision of the European Commission on adequacy has not been made, the Standard Contractual Clauses are applied.

The Company is not responsible for the manner or conditions of operation of third parties.

By using certain service providers who don’t have registered office on the territory of the USA, the Company collects and processes personal data through user interactions on social media such as Facebook, Google (YouTube channel), Instagram and LinkedIn.

Responsible persons appointed by the Company have insight in the messages and/or publications on social networks, however Personal Data collected through them, particularly those contained in messages, the Company does not store and does not additionally process except for the purposes stated in this document.

The Company uses a business profile when using Facebook, YouTube, Instagram and LinkedIn services, you can see their privacy regulations, i.e., confidentiality statements as well as the manner in which they use your Personal Data at:

FACEBOOK AND INSTAGRAM (Meta products)	FACEBOOK: https://hr-hr.facebook.com/privacy/policy/?entry_point=facebook_page_footer INSTRAGRAM: https://privacycenter.instagram.com/policies/cookies/
LINKEDIN	https://www.linkedin.com/legal/privacy-policy?trk=d_checkpoint_gL_consumerLogin_ft_privacy_policy
YOUTUBE	https://policies.google.com/privacy

If you have questions regarding the collection and processing of data by Facebook, YouTube, Instagram and/or LinkedIn or you wish to exercise some of your rights guaranteed by the General Data Protection Regulation, contact:

FOR FACEBOOK & INSTAGRAM(META PRODUCTS): Meta Platforms Ireland Limited 4 Grand Canal Square Grand Canal Harbour Dublin 2 Ireland
Contact the Data Protection Officer:	https://web.facebook.com/help/contact/540977946302970?_rdc=1&_rdr
If you are not satisfied with the way your personal data is collected and processed, you can contact the leading supervisory body of Meta, the Irish Data Protection Commissioner or the Personal Data Protection Agency of the Republic of Croatia.

FOR LINKEDIN: For users outside the Designated Countries: LinkedIn Corporation Attn: Legal Dept. (Privacy Policy and User Agreement) 1000 W. Maude Avenue Sunnyvale, CA 94085 USA For users in the Designated Countries: LinkedIn Ireland Unlimited Company Attn: Legal Dept. (Privacy Policy and User Agreement) Wilton Plaza Wilton Place, Dublin 2 Ireland
Contact the Data Protection Officer:	https://www.linkedin.com/help/linkedin/ask/TSO-DPO
If you are not satisfied with the way your personal data is collected and processed, you can contact the leading supervisory body of LinkedIn, the Irish Data Protection Commissioner or the Personal Data Protection Agency of the Republic of Croatia.

FOR YOUTUBE: Google Ireland, Ltd., Gordon House Barrow St, Dublin 4, Irska
Contact the Data Protection Officer:	https://support.google.com/policies/contact/general_privacy_form
If you are not satisfied with the way your personal data is collected and processed, you can contact the leading supervisory body for Youtube, the Irish Data Protection Commissioner or the Personal Data Protection Agency of the Republic of Croatia.

Considering all of the abovementioned, as well as the fact that the Company uses tools and services of social media which do not perform business operations on the territory of the European Union, we are obliged to inform you that those third parties, who manage the social media can transfer your data to the USA, where they are shared with intelligence services pursuant to regulations valid in the USA.

We care about the protection of your Personal Data and that is why we have initiated mechanisms which will enable an even greater level of your protection. We temporarily perform the transfer of data with regard to the service providers Google, LinkedIn and Facebook on the basis of the consent of the Data Subject with regard to the suggested transfer, whereby we always point out that there are risks with regard to such transfers because of the non-existence of the decision on the adequacy and corresponding of protection measures by Google Ireland Ltd., LinkedIn Ireland Unlimited Company and Facebook Ireland Ltd. as independent Controllers.

The Company shall send to the Data Subjects, i.e., users a special notification in the following cases:

• that the transfer of data is necessary for performance of a contract or for the implementation of pre- contractual measures taken at the Data Subject’s request; or
• that the transfer of data is necessary for the conclusion or performance of a contract concluded in your interest as the Buyer, i.e., User, between us as the Controller and other natural or legal persons; or
• that the transfer of data is necessary for the establishment, exercise or defence of certain legal claims.

We will additionally and timely inform you on all measures taken and will after the finalisation of currently pending procedures also change our internal documents.

10. Rights of a Data Subject

The Company respects the fact that every user must have the option to ensure accuracy, completeness, and timeliness of his Personal Data. If the Data Subject finds that his personal data are incomplete, inaccurate or are not updated, you can contact the Company by sending an email to voditelj@corvuspay.hr

Keep in mind that at any moment you have the right to request the following:

to enable access to your Personal Data	You can ask the Company which of your Personal Data are being used, and you can request access to those Personal Data. You have the right to know the purpose of processing, which categories of your personal data we keep, bodies or categories of bodies with which we share your Personal Data, the period during which the data are being maintained, as well as the source of data in the case when data are collected indirectly. You can contact us if you wish a copy of some or all of your Personal Data we keep on you.
request rectification of false information	We want that your personal information is accurate and up-to-date. You can request from us to rectify or remove information you find to be inaccurate or out-of-date.
request erasure of personal data	You can request from the Company to stop the processing or even erase your Personal Data. If we need your Personal Data to perform a certain contractual obligation towards you, the Controller could stop being able to perform such contractual obligations. Also, if your Personal Data are necessary so we could realise certain legal obligations (e.g., tax obligations) Your request might not be realisable.
limiting access to your data (us and/or third persons) in a certain process or entirely	If you want to dispute the accuracy of data, or if we no longer need your Personal Data for the purpose of processing, but you need them to establish, perform or process legal claim or if you opposed the processing on the basis which we find legitimate, you have the right to request limitation of the Personal Data processing.
submit an objection regarding the manner we use your data	Remember, you have the right to object to Personal Data processing, which is based on the legal ground which the Company finds legitimate.
request transfer of data to another processor (transferability of rights)	If the data processing is based on your consent or is done by automated means, you have the right to request from the Company as the processor to transfer the data to another processor.

If you are not satisfied with the manner we collected or used your Personal Data, you can address a formal complaint to the Personal Data Protection Agency.

Therefore, pursuant to all of the abovementioned, every Data Subject has the right in any moment to request from the Company access, i.e., overview of the Personal Data which refer to the mentioned user in the form of an electronical copy of the data, rectification or erasure of Personal Data, limitation of processing of Personal Data, as well as portability of Personal Data by sending an email to the address: voditelj@corvuspay.com.

The Company has the right to request from the Data Subject to prove his identity in an appropriate way.

If the Company even after that suspects the identity of the Data Subject, it is authorised to deny his request. The Data Subject is aware and accepts the fact that the erasure of Personal Data can be requested only provided that the Personal Data are no longer necessary to the purposes for which they were collected. The Data Subject has the right to object to Personal Data processing by sending an email to the address of the Data Protection Officer voditelj@corvuspay.com or in writing to the address of the registered office of the Controller. The Data Subject also has the right to submit a complaint to the supervisory body, i.e., the Personal Data Protection Agency.

If the processing is based on the legitimate interests pursued by the Company or by a third party [Article 6 Paragraph 1 Item f of the General Data Protection Regulation], the Company conducts a balance test, and can process Personal Data after the balance test shows that the pursuit of legitimate interests by the Company and/or by a third party does not outweigh the fundamental rights and freedoms of the Data Subject.

All requests for the exercise of rights the Company keeps for a period of 5 years for the purpose of performance of obligations which it has as the Controller.

11. Modifications and amendments

The Company keeps the right to modify and amend the Policy pursuant to applicable regulations.

The modifications and amendments shall enter into force and shall apply after the expiry of the period of 15 [fifteen] days from the day on which the modifications and amendments became available, whereby the day on which the modifications and amendments were published on the webpage of the Company is considered as the day on which they were made available.

The Company shall exercise good faith efforts to inform in a timely manner the clients of the Company on an individual basis by email on the modifications and amendments of the Policy.

The Cookie Policy is an integral part of this Policy.

12. Entry into force

The Policy shall enter into force and shall apply from the day of its publication, and is available on the webpage of the Company and in the business premisses of the Company.

The policy applies to all Data Subjects, however, the law of the country of which the Data Subjects is a citizen may also apply.