Privacy Notice

Introduction

We are committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data in accordance with the General Data Protection Regulation (GDPR), the Czech Personal Data Processing Act (Act No. 110/2019 Coll.), and other relevant Czech data protection laws.

LeadPay s.r.o., registered number 19510772, address: Zenklova 24/54, 180 00 Praha 8 – Liben acts as a Data controller.

Data we collect and use

We collect the following personal data for the following purposes:

1. Account set up:

   1. Name, surname;
   2. Email, hashed password;
   3. Environment (IP address, environment, log-in information, browser type and settings, time zone, operating system, device type, unique device identifier, screen size, mobile network information, mobile operating system, mobile browser type, and visit date, time, and length);
   4. Occupation;

2. Account verification:

   1. Mobile phone number;
   2. Identity document data (document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes, and security features);
   3. Facial image data (photos of the face, selfie images, a photo or scan of the face on the identification document, video screenshots, and sound recordings);
   4. Biometric data (facial features for liveness check);

3. Fraud Prevention and Account Misuse measures:

   1. Information to prove the source of funds (documents, bank statements, verbal explanations, and screenshots);
   2. Information indicating the purpose and economic sense of a financial transaction;
   3. Information from questionnaires to prove capacity and understanding of actions;
   4. Facial features for liveness check;

4. Communication and support:

   1. Contact email;
   2. Content of communication, messages, and files attached to messages;
   3. Unique ticket system identifier;
   4. Technical data related to messages (date, time zone, environment, etc.);

5. Transaction processing:

   1. Details of Wallets, unique identifier in System, Wallet debit card details;
   2. Payment details (date, time, amount, currencies, participants, messages, merchant information, payment methods, technical usage data, and geolocation information);
   3. Bank card details connected to your account (cardholder name, expiry date, first 6 and last 4 digits of the card number);

6. Issue a crypto card:

   1. ID document scan;
   2. Utility bill scan;
   3. Delivery address;
   4. Liveness check data (if required by risk assessment);
   5. Cardholder name;

7. Bank Card Verification for Top-Up/Withdrawal:

   1. Card image (excluding 7-12 digits);
   2. Facial features for liveness check (if required by risk assessment);

8. Sending you promotional materials, news and updates:

   1. Email;
   2. Name;
   3. History of transactions;
   4. Usage patterns;

   Processing is based on your consent. You may withdraw your consent at any time.

9. To analyze and improve our services:

   1. Types of transactions;
   2. Payment methods;
   3. Environment;

   All data is used in aggregated form.

Legal Basis for Processing

We process your personal data based on the following legal grounds:

1. Consent: Where you have provided explicit consent.
2. Contract: Where processing is necessary for the performance of a contract.
3. Legal Obligation: To comply with legal obligations under GDPR and Czech Personal Data Processing Act.
4. Legitimate Interests: For our legitimate interests, provided your rights and interests do not override these.

Data Sharing and Disclosure

We may share your personal data with:

1. Service providers and partners who assist in our operations, including payment schemes and payments processors;
2. Ticket system provider;
3. Regulatory and law enforcement authorities, where required by law, including Úřad pro ochranu osobních údajů (ÚOOÚ);
4. Other parties with your consent or as necessary to protect our rights and interests.

Data Security

1. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in compliance with GDPR and the Czech Personal Data Processing Act.
2. We use data encryption techniques and authentication procedures to prevent unauthorized access to our systems and your data. Only authorized employees are granted physical access to the premises where data is processed and stored. The premises are being watched.
3. All supplied sensitive information is transmitted via Secure Socket Layer (SSL) technology. Card payment information encryption is compliant to PCI DSS.
4. We authorize access to your personal data only for those employees who need it based on their job requirements (for example, customer support staff). All employees who access personal data are bound by a non-disclosure agreement. We implement continual training for our employees in regard to ensuring the security and confidentiality of personal data.
5. Personal data of the users being subjects to GDPR shall be processed only on the servers physically located within the European Union.
6. We continuously improve our security procedures to ensure that we are in line with the best industry standards, thus ensuring a high level of protection of your personal data.
7. We recommend you also adhere to some simple rules that will help ensure your safety. Never use the same password for multiple accounts on different sites and always use a strong password with mixed case letters, numbers, and symbols. Do not tell anyone your Wallet password. Please remember that our employees never ask for user passwords. If someone pretending to be a LeadPay employee asks you for your password or other login information, do not give it to them and notify us immediately by email to [email protected].

Your Rights

You have the following rights regarding your personal data under GDPR and Czech data protection laws:

1. Right of Access

   You have the right to obtain confirmation as to whether or not your personal data is being processed and, if so, access to your personal data and information about the processing.

2. Right to Rectification

   You have the right to request the correction of inaccurate personal data and the completion of incomplete data.

3. Right to Erasure

   You have the right to request the deletion of your personal data where one of the following grounds applies:

   1. The personal data is no longer necessary for the purposes for which it was collected.
   2. You withdraw your consent, and there is no other legal ground for processing.
   3. You object to the processing, and there are no overriding legitimate grounds for the processing.
   4. The personal data has been unlawfully processed.
   5. The personal data has to be erased to comply with a legal obligation.

4. Right to Restriction of Processing You have the right to request the restriction of processing of your personal data where one of the following applies:

   1. You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the data.
   2. The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of its use instead.
   3. We no longer need the personal data, but you require it for the establishment, exercise, or defense of legal claims.
   4. You have objected to processing, pending the verification of whether our legitimate grounds override yours.

5. Right to Data Portability You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance, where:

   1. The processing is based on consent or a contract.
   2. The processing is carried out by automated means.

6. Right to Object You have the right to object to the processing of your personal data on grounds relating to your particular situation, at any time. We will no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

7. Right to Withdraw Consent Where the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8. Right to Lodge a Complaint You have the right to lodge a complaint with the supervisory authority, Úřad pro ochranu osobních údajů (ÚOOÚ), if you believe that the processing of your personal data violates applicable data protection laws. To exercise these rights, please contact us at [email protected].

Data Retention

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. Specifically, we retain your data for the period required by Czech anti-money laundering laws (Act No. 253/2008 Coll. on Certain Measures Against Money Laundering and Financing of Terrorism).

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page, and where appropriate, notified to you by email.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

• Email: [email protected]
• Address: Zenklova 24/54, 180 00 Praha 8 - Liben

By using our services, you confirm you understand how we collect and use your personal data as described in this Privacy Policy.