Privacy Policy

KoronaPay Europe Limited

Last updated 12 January 2023

If you have any questions or suggestions concerning our privacy practices, please email us at dpo@koronapay.eu. Please contact us, if you would like to request data access or deletion, or to exercise any other rights provided under the European Union (EU) law, including withdrawal of consent, data portability, etc.

Who we are

KoronaPay Europe Limited (“KoronaPay”, “we”) is an Electronic Money Institution (EMI) licensed and regulated by the Central Bank of Cyprus, the License No. 115.1.3.30.
Address: 359, 28th October str, World Trade Center, 5th floor, Limassol, 3107, Cyprus.
Email: dpo@koronapay.eu.

In certain operations KoronaPay acts as joint controller together with Credit Union Payment Center (LLC) (the “Payment Center”).
Address: 2, Shaturskaya street, Novosibirsk, 630055, Russia.
Email: mail@rnko.ru

KoronaPay and Payment Center act as joint controllers for money transfers made through Zolotaya Korona network of partners (financial and money transfer organizations which process money transfers) and related processing activities. KoronaPay acts as a sole controller for transfers in which both a sender and recipient are in the EU, use cards issued by EU banks and transfers made through KoronaPay network of partners exclusively.

KoronaPay and Payment Center have distributed personal data duties for the processing activities in the joint controllers’ agreement in line with Article 26(2) of the Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”). Both companies have committed themselves to assist each other in fulfilling their GDPR obligations, including the execution of data subject requests. Please contact us, if you need more information about the allocation of responsibilities.

KoronaPay also acts as the Payment Center’s representative in the EU. You can contact us as specified in this Policy.

How we use your data

KoronaPay processes your personal data when you:

Please select the respective section below, to learn about how we process personal data for a particular purpose. Every section covers purpose and legal basis for processing, categories of data processed, why and for how long data is collected, who the data is shared with.

Senders and recipients of money transfers
Mobile App users
Website users
Counterparties and partners
Job applicants

The Website and Mobile App are not intended for children and anyone under the age of 18.

You are not obliged to provide your personal data to us. However, when we need your personal data to enter into and perform a contract with you, to verify your identity, perform a transfer, but you do not provide the required data, we may not be able to perform the contract we have or are trying to enter into with you. Should this be the case we will notify you.

Who we work with

CFT Group

To provide money transfer services we engage companies from the CFT Group. The CFT Group are Russian entities among the Top 5 Software Developers in the Russian financial market and include the following key companies which have access to personal data:

Currently, the European Commission does not consider Russia as a country that ensures the adequate level of data protection under the GDPR. So, when transferring personal data to these companies in Russia, we have implemented additional appropriate safeguards as required under Article 46 of the GDPR.

To maintain your privacy during the money transfers, we have adopted standard data protection clauses approved by the European Commission in accordance with Article 46(2)(c) of the GDPR with all companies of CFT Group involved in the processing of personal data.

Standard data protection clauses form an agreement that contains the description of mutual data protection obligations of data exporter and importer in relation to the processing of your personal data. If you need to obtain a copy, please contact us.

Financial institutions and money transfer providers

We cooperate with the network of financial institutions and money transfer institutions in many countries in the world, where you can send or receive money transfers. We also use payment processing services of international payment systems such as Visa International and Mastercard Worldwide.

When transferring data to third parties located outside Cyprus, we follow the below rules:

Other parties involved

We may also use third-party data processors to obtain some services and software. Such providers grant an adequate, sufficient safeguarding service when it comes to processing your data, since we carefully screen service providers by including specific demands in the event that their services involve the need to process personal data.

We have necessary contracts with third-party providers. This means we are aware of operations they perform with your personal data on our behalf and instruct them how to keep your personal data secure and how long to store it.

Namely, we use services of the following third-party companies:

Public authorities

We are a financial regulated entity in Cyprus. We are obliged to submit information on fraud or money laundering and suspicious transactions to public authorities as required under the applicable law.

Besides, if we receive a lawful request from law enforcement or other public authorities, we may also be obliged to disclose your information to public authorities.

See more details in the section Comply with reporting obligations and public authorities’ requests.

Detailed description of data processing activities

Senders and recipients of money transfers

When you use the Mobile App for sending money transfers, verify your identity and for other actions, we also process your data as a Mobile App user.

Process money transfers

Purpose and legal basis for processing

Our purpose is to process a money transfer which you initiate in the Mobile App or cash transfers through our Network partners. We collect information about the sender and the recipient of the money transfer.

The legal basis:

Personal data we process

To process a money transfer, we need information about the sender, recipient and payment details. Depending on the type of transfer (card to cash, card to bank account, bank transfer to cash, cash to cash, etc.) the exact data we collect is different.

About a sender:

About a recipient:

Money transfer details:

We may also collect additional data if it is required under the legislation of a transfer destination country in order to enable the transfer to this country or to Detect and prevent fraudulent transactions and perform anti-money laundering procedures.

Depending on a type of transfer, we receive this information directly from the sender in the Mobile App, from network of partners or CFT Group through which a transfer was initiated.

Why we need your data

We need this information to process a payment order initiated by a sender in compliance with the transfer terms and obligatory requirements set for money transfers. The sender’s data (such as full name, date of birth, permanent address and phone number) is also saved in the sender’s account in the Mobile app and is available for the user at any time.

How long do we store your data

According to AML legislation, we must retain user account and all related data and documents for at least five (5) years after you made a transfer or identity verification request in the Mobile App, any risk is revealed, which requires us to retain data or after the end of business relationship with you. The AML legislation includes Cyprus Law No. 188(I)/2007 The Prevention And Suppression Of Money Laundering And Terrorist Financing Law (see the Article 68), EU Directive 2015/849 on the Prevention of Money Laundering and Terrorist Financing (see the Article 40) and other laws and regulations applicable to us under the EU and Cyprus law (“AML legislation”).

Besides, under Article 72 of the Payment Services Directive (EU) 2015/2366, it is also obligatory to retain evidence of all payment transactions as a proof of proper authorization and execution of payment transactions.

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if legislation changes).

Besides, as transfers are made through the network of partners or Payment Center, these entities may also be obliged to retain your data to comply with national anti-money laundering and other laws they are subject to. For instance, Payment Center is subject to Russian Bank Law No. 395-1 that obliges them to keep the evidence of all executed payments. Furthermore, the Russian anti-money laundering and anti-terrorism legislation requires Payment Center to retain the user activity history for five (5) years after the end of business relationship with a transfer sender.

Third parties involved in processing

Perform mandatory identity verification checks

Purpose and legal basis for processing

As a licensed electronic money institution, KoronaPay is subject to European and Cyprus AML legislation. So, we must collect and verify data about the senders and recipients of money transfers to prevent money laundering and terrorist financing activities. KoronaPay collects data to the extent strictly necessary to fulfil applicable legal requirements.

The legal basis: - compliance with legal obligations KoronaPay is subject to (Article 6(1)(c) of the GDPR).

Personal data we process

The scope of data collected for the verification purpose depends on:

For transfers below the basic limit, KoronaPay requests the sender’s full name, date of birth, permanent address, phone number and a recipient’s full name and bank details.

For transfers above the basic limit and depending on the risk level, KoronaPay additionally collects:

Besides, additional data can be requested by KoronaPay’s Compliance team if the provided information is insufficient to complete a verification. Read more about the existing limits for transfers and the verification process.

Why we need your data

KoronaPay must check validity of the provided document and verify if the person making a payment order is real (not a robot), if a person is a politically exposed person (PEP), if a person is included in a blacklist or falls under any other restrictions. We receive the information from you directly and consult with AML approved sources and lists.

Although the preliminary check is performed automatically, KoronaPay’s Compliance team performs manual examinations to make a decision.

How long do we store your data

According to the AML legislation, we must retain user account and all related data and documents for at least five (5) years after you made any transfer or identity verification request, or any risk is revealed, which requires us to retain data.

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if a legislation changes).

Third parties involved in processing

Detect and prevent fraudulent transactions and perform anti-money laundering procedures

Purpose and legal basis for processing

Our purpose is to detect and prevent payment fraud, terrorism financing and money laundering by assessing transfers and monitoring them on an ongoing basis. We are required to do so by the AML legislation.

The legal basis: - compliance with legal obligations KoronaPay is subject to (Article 6(1)(c) of the GDPR).

Personal data we process

The volume of personal data we use for identifying and detecting fraudulent activities depends on the type of transfer, risk level, restrictions in place and fraud scenarios we identify.

Generally, we use the following categories of personal data:

The Compliance team can request additional information on the sender, recipient and source of funds or the purpose of a transfer, if it is necessary to prevent fraud, terrorism financing, money laundering or any other illegal activities.

Why we need your data

Under the AML legislation, we are required to collect and process data:

How long we store your data

According to AML legislation, we must retain user account and all related data and documents for at least five (5) years after you made any transfer or identity verification request, or any risk is revealed, which requires us to retain data.

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if a legislation changes).

Third parties involved in processing

Inform about transfers, verification and other non-marketing events

Purpose and legal basis for processing

Our purpose is to send payment receipt, important information on the transfer and how it can be received, remaining amount of the limit, inform you about the identity verification process, maintenance activities or other service issues.

The payment receipt is sent to your email. We may also inform you via push-notifications in the Mobile App, SMS or messengers. In some cases, our customer support team may call you.

Under Articles 46, 48 and 49 of the Payment Services Directive (EU) 2015/2366, KoronaPay is obliged to make payment information available to the sender and the recipient after the money transfer is initiated and executed.

The legal basis:

Personal data we process

We do not collect any additional data for such communications. Instead of that, we use the contact details you have already provided us with in your profile or while making a transfer. Namely, we use the following information to contact you:

Why we need your data

We need to keep you informed about the money transfers you have initiated in the Mobile App, identity verification process, and any operating issues that may affect your interaction with our services. Our aim is to facilitate correct use of our services and inform recipients on the possible options on how to receive transfers.

How long we store your data

According to AML legislation, we must retain user account and all related data and documents for at least five (5) years after you made any transfer or identity verification request, or any risk is revealed, which requires us to retain data.

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if a legislation changes).

Third parties involved in processing

Comply with reporting obligations and public authorities’ requests

Purpose and legal basis for processing

By law KoronaPay is obliged to notify the Cyprus Unit for Combating Money Laundering (“MOKAS”) about events which are or could be related to money laundering or terrorist financing activities.

Besides, we are obliged to fulfill requests that we may receive from law enforcement and other public authorities and courts, e.g. in case of a criminal or government investigation. We always review the legality of disclosure requests before providing any information.

As the transfer service is provided through the chain of financial institutions, including Payment Center, these institutions may also be subject to reporting requirements under the legislation applicable to them and have to comply with disclosure requests.

The legal basis: - compliance with legal obligation KoronaPay is subject to (Article 6(1)(c) of the GDPR).

Personal data we process

When required by law, we use your personal data to file reports to MOKAS and respond to official request of public authorities. This data is received from you to Process money transfers, to Perform mandatory identity verification checks and to Detect and prevent fraudulent transactions and perform anti-money laundering procedures.

The reports may include the following information:

Why we need your data

Notifying the public authorities and compliance with disclosure requests is our legal duty.

How long we store your data

We keep the records of communications with the public authorities for five (5) years. At the end of the retention period, we erase data, unless we are required to keep your data longer on other legal grounds (e.g. as part of an investigation).

Third parties involved in processing

Process support requests, information requests or feedback

Purpose and legal basis for processing

Our purpose is to process requests when you call us or send a request. Users can reach us out via the following channels:

In general, we may receive the following types of requests:

The legal basis:

Personal data we process

The information we need may vary depending on the nature of your request and the communication channel you choose. Generally, we process the following categories of data:

Why we need your data

We need to process personal data to identify you as sender or a recipient of a transfer, a user of the Mobile App, understand your case and to help you to resolve it. Recording of the calls is necessary to ensure quality control of the customer support provided to existing and potential customers.

How long we store your data

We process data from the information request until the issue is resolved or we have fulfilled your request. We then store data for up to 3 years to be able to exercise and defend our rights in case a dispute arise. If a request relates to a money transfer, verification or any risk, such information is stored during 5 years to comply with anti-money laundering laws requirements.

Third parties involved in processing

Send promotions and offers

Purpose and legal basis for processing

Our purpose is to notify you about new system features, promotions and offers that we expect to be of interest for you.

To make offers specific and commercially reasonable and to reduce the number of messages as well, we use your personal data to define what message is the most relevant for you. We may use different communication channels, including push-notifications, SMS, messengers or email.

The legal basis:

Available opt-out options

In accordance with Article 21 of the GDPR, we provide you with the following options to object to direct marketing:

If we receive from you the opt-out request, we will stop sending you our promotions and offers or any other marketing communications. Please note, that this process can take some time, because at the moment you send an opt-out request some message sending scripts may have already been initiated.

Personal data we process

Why we need your data

KoronaPay conducts these processing activities to notify you about relevant news, promotions and offers and to make the communications relevant for you.

How long we store your data

The option to unsubscribe is available to you in all our messages. If you unsubscribe, KoronaPay will stop sending to you any marketing information.

Basically, we store data for five (5) years, unless you ask us to delete your account earlier. The possibility to delete account may be restricted due to anti-money laundering and anti-terrorism requirements (see Right to erasure of personal data).

Third parties involved in processing

Conduct a referral program

Purpose and legal basis for processing

We have a referral program that allows our users to receive a reward. See more details on the program here. We issue a promo code and check if a sender used it during a transfer. If conditions of the referral program are met, we ask for bank details to pay the reward.

The legal basis:

Personal data we process

Why we need your data

We process data to issue a promo code for a sender of a transfer, check if the promo code was used and if the eligibility criteria are met. Besides, to pay the reward we ask you to provide bank details. We must keep data on all executed payments made under the program for accounting purposes.

How long we store your data

We store information on all payments made and related data within five (5) years after such a payment is made, to comply with laws and to be able to exercise and defend our legal claims in case a dispute arise.

Third parties involved in processing

Mobile App users

When you send or receive money transfers, we also process data as a sender or recipient of money transfers.

Enable you to use the Mobile App

Purpose and legal basis for processing

To become a new user of our online money transfer services, you must sign up in the Mobile App. The registration requires you to enter your mobile phone number and confirm it.

While using the Mobile App for money transfers and verification your identity you enter a number of information about the transfer, the sender and recipient of data. We store this data and make it available to you in the profile. The Mobile App allows you to save the payment card credentials for using them in further payments you perform.

We also log actions and events in the Mobile App to Optimise the Mobile App, digital marketing activities and to Detect and prevent fraudulent transactions and perform anti-money laundering procedures.

The legal basis:

While using the Mobile App, you are also asked to grant access to:

The legal basis: consent you provide by allowing the respective function in the Mobile App (Article 6(1)(a) of the GDPR).

Personal data we process

Why do we need this data

We identify you as a user by the phone number you enter. KoronaPay provides the Mobile App to users with EU-based phone numbers. Other users are supported by Payment Center.

Once registered, all transfers and verifications under your user account will be associated with this phone number. We also create a user ID that is uniquely associated with your phone number. We use this ID to organise data interchanges between our internal systems.

An access to contact list, location and other non-essential features is asked to make your user experience in the Mobile App better.

Available account management options

You can delete your account by using the relevant option in the Mobile App or write a request to kpesup@koronapay.com. Please include in the message the phone number your account is linked to.

The possibility to delete an account may be restricted due to anti-money laundering and anti-terrorism requirements we are subject to. In such a case we will block your account. See more details in the section Right to erasure of personal data.

Once the account is deleted or blocked it is impossible to use it or to register a new account with the same phone number.

How long we store your data

Basically, we store data for five (5) years, unless you ask us to delete your account earlier. The possibility to delete account may be restricted due to anti-money laundering and anti-terrorism requirements (see Right to erasure of personal data).

Third parties involved in processing

Optimise the Mobile App, digital marketing activities

Purpose and legal basis for processing

In the Mobile App you operate with financial data and we need to make sure that the app works correctly. We use our own logging tools to monitor the continuity of a Mobile App and to collect information about the circumstances of the failure if it occurs. Our purpose is to collect the data about the way you use the app (user account event log) to detect and fix technical issues in a timely manner.

Besides, we use third-party services (e.g AppsFlyer) to gather information on how you interact with the Mobile App, to show you the information on promotions and offers on the Internet, including search engines, public web resources and social networks.

The legal basis:

Available opt-out options

Personal data we process

Why we need your data

We use logging and analytical tools to ensure that the Mobile App works properly and is easy to navigate within. We also conduct these processing activities to promote the money transfer services on the Internet.

How long we store your data

We store logs and technical data in analytics for up to two (2) years. Some data is included in your account profile, in which case it is stored for as long as you use an account or five (5) years (see process Enable you to use the Mobile App).

Third parties involved in processing

Website users

Use cookies technology on the Website

Purpose and legal basis for processing

On the Website, we use cookies technology that gathers information on your settings, how you use the Website, from which sources or marketing campaign you came to the Website, how much time you spent on the Website and which pages you visited.

This allows us to obtain insight on how to improve our Website or what new features and products we should develop. We also use the data to inform the audience for our digital marketing activities, and to assess the efficiency of our digital marketing campaigns.

The legal basis:

Available consent withdrawal options

You can always change your choice by using the Cookie Control function provided in the bottom of the Website or by adjusting the Website settings in the web browser you use.

Personal data we process

Why we need your data

We conduct these processing activities to improve our Website and your user experience. Data is also necessary to gain an understanding of our audience for marketing campaigns on the Internet and to promote our money transfer services.

Typical scenarios for use of the analytics are the following:

We use analytical and marketing cookies only if you allow us to do so. When visiting and using the Website, you can adjust cookies settings to allow the use of cookies or disable them.

How long we store your data

A retention period for the cookies is set for each cookie type and is commonly limited to three (3) months. They automatically expire after the set retention period. You can also delete cookies from your device in the browser settings.

Third parties involved in processing

Counterparties and partners

Negotiate, enter-into and perform agreements with counterparties and partners

Purpose and legal basis for processing

We are constantly working on extension of our business network to provide money transfer services to our users. Besides, we may engage third-party service providers and outsource some activities.

To communicate and negotiate engagement conditions with potential counterparties we collect, and process contact information about representatives of such counterparties. Also, when concluding a contract we receive information on the signatories of the agreement and the basis of their authorities.

With respect to money transfer provider and other partners, we collect a due diligence file before proceeding with the engagement. We must make sure that partners follow our standards and there are no reputational, regulatory, or other commercial risks arising due to engagement of a partner. From time to time, we may also ask to confirm whether the provided information is still up to date.

The legal basis:

Personal data we process

Why we need your data

We need data to contact potential and existing counterparties and their representatives, to conclude legally valid contracts with duly authorized representatives. We must conduct due diligence procedures to ensure the safety and quality of our services and to comply with applicable requirements.

How long we store your data

We store information within the period of a contract’s validity and five (5) years after its termination, to comply with laws and to be able to exercise and defend our legal claims in case a dispute arises.

Third parties involved in processing

Job applicants

Assess if a job applicant is fit for a position

Purpose and legal basis for processing

We collect and process information from CVs and conduct interviews to assess if you are fit for an open position. We receive such information directly from you as a job applicant when you contact us. Alternatively, we may collect data from recruitment agencies, websites you posted your CV on and publicly available sources, if any.

We use contact details to ask if you are interested in a job position and further communicate with you. We collect only information that is necessary and enables us to assess whether you comply with the requirements set for a job position.

If you express interest in applying for other positions at KoronaPay or CFT Group which may later be opened, we keep your data.

The legal basis:

Personal data we process

Why we need your data

We need your data to assess if we can offer you a position that fits your CV and our job requirements. We need to evaluate your education, previous experience, and skills to make this decision.

How long we store your data

We store information during the whole recruitment process, i.e until a decision on successful or unsuccessful recruitment is made. After that, we promptly delete personal data, unless a job applicant has confirmed their interest to apply for other positions in KoronaPay or CFT Group which may later be opened. In such a case, we store the data for the next three (3) years.

You can always change your mind and ask us to delete your data if you are no longer interested in a job position.

Third parties involved in processing

Your data protection rights

Under the GDPR you have several rights as a data subject. Please contact us if you want to exercise any of them. Note that we may request some additional information from you to verify your identity before we fulfill your request.

Right to access

You can ask us whether we are processing your personal data and if so, to receive or get access to a copy of your data (Article 15 of the GDPR).

Right to rectification

You can ask us to correct any errors in your personal data and make the data complete if you believe it is incomplete (Article 16 of the GDPR). You can correct some of your data in the account settings in the Mobile App.

Right to erasure of personal data (‘right to be forgotten’)

You can request us to delete your personal data (Article 17 of the GDPR). Please use the relevant option on the Mobile App or write a request to kpesup@koronapay.com. Please include in the message the phone number that you used to sign up in the Mobile App.

This right is set by the GDPR, but it also has certain restrictions under the GDPR: we are not allowed to delete your data upon your request, if we are required to retain it in accordance with law or it is necessary for the establishment, exercise or defence of legal claims (Article 17(3)(b),(e) of the GDPR).

For instance, if you initiated transfers and/or proceeded with the verification of your identity in the Mobile App, the AML legislation obliges us to retain your information and all related documents for a period of five (5) years. This requirement is set by Cyprus Law No. 188(I)/2007 The Prevention And Suppression Of Money Laundering And Terrorist Financing Law (see Article 68), EU Directive 2015/849 on the Prevention of Money Laundering and Terrorist Financing (see Article 40). So, if we receive your request, instead of deleting it we will block your account and stop processing your data for any purposes other than compliance with the law. Upon expiration of the retention period required by the law, we will delete it entirely.

Once the account is deleted or blocked it is impossible to use it or to register a new account with the same phone number, due to security reasons.

Right to restriction of processing

You have the right to ask us to restrict or suppress the processing of your personal data (Article 18 of the GDPR).

Under the GDPR, we can fulfil this right in any of the cases below:

Right to data portability

In some cases, you have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format, and, if we can perform it technically, to send your data to other organisations (Article 20 of the GDPR).

Under the GDPR, we can fulfil this right when:

Right to object

You have the right to object to the processing of your personal data (Article 21 of the GDPR), if:

In particular, you have the right to object to processing of your personal data for direct marketing purposes, such as informing about promotions and offers or viewing ads.

To make this process easier, we provide you with the following opt-out options:

You may also contact us at any time with the relevant request.

Right to withdraw a consent

If you gave us a consent for processing your data, you can always change your mind and withdraw it at anytime. This right is set by Article 7(3) of the GDPR.

We use consent as a legal basis in the following cases:

You can adjust cookies settings either in the web browser or Cookies Control bar on the Website. You may also contact us at any time with the request to stop processing your data for the recruitment purposes.

Right to lodge a complaint

Having received the request or complaint from you, we will make every effort to resolve an issue concerning your personal data.

If you believe it to be appropriate you may address your complain to the supervisory authority in sphere of personal data of the country where you reside. The right to lodge a complaint is set by Article 77(1) of the GDPR.

In Cyprus, the data protection authority is the Office of the Commissioner for Personal Data Protection, which is available via www.dataprotection.gov.cy.

How we protect your data

We implemented appropriate IT and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We follow a risk-based approach, when determining which security measures and technologies to implement.

We protect your data when it is in transit and at rest, all money transfers data are encrypted; we store your data on secure servers; backup copies of data are stored encrypted only and separately from the production system that they were made from; all workstations are equipped with anti-virus protection; there are firewalls to segregate networks.

Payment card data is securely sent and processed by CardStandard Processing Center that is certified under the Payment Card Industry Data Security Standards (“PCI DSS”). In line with this standard and rules of international payment systems (such as Visa International or MasterCard Worldwide), we never keep card security codes and do not store the payment card details in plain text.

We strictly limit access to personal data to those employees, contractors and third parties who have a business need-to-know. All personnel and third parties are bound by confidentiality obligations and are required to follow strict data protection and compliance standards while using and transferring data.

We regularly test the effectiveness of the measures and audit compliance with the set rules and procedures, we monitor security events, identify, and eliminate security vulnerabilities.

We have procedures on how to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach, where we are legally required to do so. Depending on the circumstances of the breach, KoronaPay and Payment Center (acting as joint controllers) may inform data subject separately or jointly, decide on what shall be communicated to a subject and the means of such communication.

Policy Amendment

From time to time, we may change this policy and adopt its new version. The main reasons of policy amendment are introducing new services and features, termination of services or changes in applicable legal requirements.

We will inform you about a new version via a notification on the Website or the Mobile App. In the event of significant changes in data processing terms, such as those concerning the nature or means of processing, we will notify you about changes before they become effective.

Contact details

You can address all your questions concerning our privacy practices to the Data Protection Officer of KoronaPay at dpo@koronapay.eu.

We also keep a separate mailbox for the prompt processing of your request to delete your account. Please send an email to kpesup@koronapay.com if you want to delete your account . Please include in the message the phone number your account is linked to.

You can also ask questions via the call center (see contact phones on the Website) and chat in the Mobile App.

KoronaPay acts as the Payment Center’s representative in the European Union, so you can address questions on how Payment Center processes personal data under the GDPR to dpo@koronapay.eu as well. Nevertheless, you may contact Payment Center directly at mail@rnko.ru.

Under the joint controllers’ agreement, both, KoronaPay and Payment Center are obliged to review all incoming requests related to personal data and forward the request to each other when applicable.