Privacy

Scalapay SRL - Privacy Notice

Scalapay respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you use our services, or otherwise access any of our products and services and tell you about your privacy rights and how the law protects you.

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The Data Protection Act 2018 (“DPA 2018”) sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018.

It sits alongside the GDPR, and tailors how the GDPR applies in the UK - for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defense, and sets out the Information Commissioner’s functions and powers.

Important information and who we are

PURPOSE OF THIS PRIVACY POLICY

This privacy policy aims to give you information on how Scalapay collects and processes your personal data through your visit to our website, including any data you may provide when you sign up to use our services, subscribe to our newsletter, engaging with our customer support team or take part in a promotion or a survey.

It is important that you read this privacy policy together with any other policies we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements the other policies and is not intended to override them.

CONTROLLER

Scalapay SRL acts as the data controller and is responsible for your personal data (collectively referred to as “COMPANY”, “we”, “us” or “our” in this privacy policy).

We have appointed an external data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the external DPO using the details set out below.

Our Contact Information (Data Controller)

Scalapay SRL

Corso Italia 8

Milano 20122

Italy

Company Email: support@scalapay.it

Our Data Protection Officer

Robert Healey

dpo@scalapay.it

Formiti Data International

The Black Church,

ST. Mary’s Place

Dublin 7, D07P4AX

You have the right to lodge a complaint with any Supervisory Authority. See our Supervisory Authority contact details below.

Garante per la protezione dei dati personali

Piazza di Monte Citorio, 121

00186 Roma

Italy

garante@garanteprivacy.it

www.garanteprivacy.it

We would, however, appreciate the chance to deal with your concerns before you approach the Garante per la protezione dei dati personali so please contact us in the first instance.

Changes to The Privacy Policy and Your Duty to Inform Us of Changes

This version was last updated on January 27, 2021 and historic versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third Party Links

This website may include links to third-party websites, clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

IF You Fail to Provide Your Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

What personal information do we collect from customers?

The personal data we collect depends on whether you just visit our website or use our services. If you visit our website, you do not need to provide us with any personal data. However, your browser transmits some data automatically, such as the date and time of retrieval of one of our web pages, your browser type and settings, your operating system, the last web page you visited, the data transmitted and the access status, and your IP address.

If you use our services, personal data is required to fulfil the requirements of a contractual or service relationship, which may exist between you and our organisation.

We collect:

•  Residential Address

•  Email Address

• Date of Birth

• Credit / Debit Card Details

• Postal Code

• Historical Behaviour on Platform

• Associated Behaviour on Platform

• National ID Number

• Mobile Phone Number

• Photo Identity Document

• Name

• Online Identifiers

What personal information do we collect from our Merchants?

•  Business Owner Email Address

•  Business Owner Name

•  Business Owner Date of Birth

•  Business Owner Residential Address

•  Business Owner Mobile Phone Number

•  Business Owner Photo Identity Document

What we do with your personal data

We process personal data only for the purpose for which they are collected. The purpose is dependent on whether you use only our website, or additionally, our services. If you use our services, you are required to register, and we collect your personal data. We use this personal data for the provision of the service or the performance of the contract. We may use your personal data for other similar purposes, including marketing and communications, but that will only occur in the case we have your consent or another legal justification for doing so.

From our Customer we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Payment Processing Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed
Customer Account Management Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed
Customer Credit Application Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until service completed
Know Your Customer Check (KYC) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed
Website Analytics Legitimate Interest: it's in our legitimate interest (Product development and enhancement) Until contract completed
Customer email marketing Legitimate Interest: -Necessary for our legitimate interests (to develop our products/services and grow our business) Until consent withdrawn
Online Chat Support Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed
Offline Customer Email Support Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed

From our Merchan we process and retain personal data for the following purposes and periods, with the applicable legal basis.

Processing purpose Legal basis Retention period
Merchant Account Management Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed
Email Marketing Legitimate Interest: -Necessary for our legitimate interests (to develop our products/services and grow our business) Until contract completed
Online Chat Support Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed
Offline Merchant Email Support Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Until contract completed
Website Analytics Legitimate Interest: -Necessary for our legitimate interests (to develop our products/services and grow our business) Until contract completed

International transfers

Some of our external third parties are based outside the European Economic Area (**EEA**) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

•  We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

•  Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

•  Where we use providers based in the US, we may transfer data to them if we have an adequacy legal contract with them commonly know as Model clauses or Standard Contract Clauses

Who might we share your personal data with?

Who might we share personal data with?

We may share your personal data with the categories of recipients listed below, for the below purposes. Exactly which recipients we share your personal data with, and for which purposes, will depend on which Services you use. In doing so, we take all reasonable contractual, legal, technical, and organisational measures to ensure that your personal data is treated with an adequate level of protection.

Suppliers and subcontractors.

Scalapay S.R.L. may share personal data with suppliers and subcontractors that we use in order to provide the Services to you. Suppliers and subcontractors are companies who are only entitled to process the personal data they receive from Scalapay S.R.L. on Scalapay S.R.L.’s behalf. Examples of such suppliers and subcontractors are software- and data storage providers, payment processing services, and business consultants.

Stores.

Scalapay S.R.L. shares personal data with the store / merchant you visit or make a purchase from. This is done in order to allow the store to administer your purchase and your relationship with the store, send you the goods, manage disputes, and to profile its customers into categories such as age groups or gender, and also to prevent fraud. The personal data shared with a store will be subject to the store’s privacy policies and practices.

Payment service providers (“PSPs”):

PSPs provide stores with online services for accepting electronic payments through a variety of payment methods including credit card, bank-based payments such as direct debit, etc.

Credit reference agencies.

If you apply for Scalapay S.R.L. credit service or Scalapay card, your personal data may be shared with credit reference agencies (“CRA's”), for the following purposes: To assess your credit score in connection with your application for one of Scalapay S.R.L payment methods, to confirm your identity- and address information, and protect you and other customers from fraud. Your telephone number and address may also be shared with the CRA, in order for the CRA to send you a notification that it has done a credit assessment of you.

How Long Will We Use Your Data For

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.  A copy of our Data Retention Schedule is available upon request.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Automated Decision Making

Our company uses systems to automatically make decisions which may have an effect on your order. For further details, please check the following:

We use computer systems to generate the following type of decisions:

1: Approval of loans to customers

The following is a description of the processes involved:

When the customer selects the Scalapay payment method we use an automated system that take into consideration the customers history on the platform as well as other fraud/risk signals to determine the maximum loan amount. If the customer’s order is approved the payment is transferred to the retailer. If the customer's order is rejected, then they are redirected back to the retailers website

This is why we conduct automated processing:

We use this process to limit the amount of loans we provide to potentially fraudulent customers or to customers that we believe are at risk of not being able to repay the loan.

This is the potential impact it might have on you:

Customers may be denied the approval of the loan

You have the right to challenge such decisions, to express your point of view or to request an explanation of any decisions reached. For further details or queries on automated processing, you may contact us directly.

How do we look after personal data?

We limit the amount of personal data collected only to what is fit for the purpose, as described above. We restrict, secure, and control all our information assets against unauthorised access, damage, loss, or destruction; whether physical or electronic. We retain personal data only for as long as is described above, to respond to your requests, or longer if required by law. If we retain your personal data for historical or statistical purposes, we ensure that the personal data cannot be used further. While in our possession, together with your assistance, we try to maintain the accuracy of your personal data.

Your legal rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. We set out below a brief description of such rights:

1. To be informed:

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR and DPA 2018. This Privacy and our cookie policy meet this requirement.

2. Request access to your personal data

(commonly known as a “data subject access request”)**: This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

3. Request rectification of your personal data:

This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

4. Request erasure of your personal data:

This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

5. Object to processingof your personal data:

Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms

6. Request restriction of processing your personal data:

This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; or (b) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it

7. Request the transferof your personal data to you or to a third party:

We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

8. Withdraw consent at any time

where we are relying on consent to process your personal data**: However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent

How can you access your personal data?

If you would like to make a request to see what personal data of yours we might hold, you may make a request from our company website or here.

Where you have previously given your consent to process your personal data, you also have the right to request that we port or transfer your personal data to a different service provider or to yourself, if you so wish.

Where it may have been necessary to get your consent to use your personal data, at any moment, you have the right to withdraw that consent. If you withdraw your consent, we will cease using your personal data without affecting the lawfulness of processing based on consent before your withdrawal.