Privacy Policy

KoronaPay Europe Limited

Last updated 22 October 2024

If you have any questions or suggestions concerning our privacy practices, please email us at privacy@koronapay.eu. Please contact us, if you would like to request data access or deletion, or to exercise any other rights provided under the European Union (EU) law, including withdrawal of consent, data portability, etc.

Who we are

KoronaPay Europe Limited (“KoronaPay”, “we”) is an Electronic Money Institution (EMI) licensed and regulated by the Central Bank of Cyprus, the License No. 115.1.3.30.
Address: 359, 28th October str, World Trade Center, 5th floor, Limassol, 3107, Cyprus.
Email: privacy@koronapay.eu.

In certain operations KoronaPay acts as joint controller together with Credit Union Payment Center (LLC) (the “Payment Center”).
Address: 86, Kirova street, Novosibirsk, 630102, Russia.
Email: mail@rnko.ru

KoronaPay and Payment Center act as joint controllers for money transfers made through Zolotaya Korona network of partners (financial and money transfer organizations which process money transfers) and related processing activities. KoronaPay acts as a sole controller for transfers in which both a sender and recipient are in the EU, use cards issued by EU banks and transfers made through KoronaPay network of partners exclusively.

KoronaPay and Payment Center have distributed personal data duties for the processing activities in the joint controllers’ agreement in line with Article 26(2) of the Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”). Both companies have committed themselves to assist each other in fulfilling their GDPR obligations, including the execution of data subject requests. Please contact us, if you need more information about the allocation of responsibilities.

KoronaPay also acts as the Payment Center’s representative in the EU. You can contact us as specified in this Policy.

How we use your data

KoronaPay processes your personal data when you:

send or receive a money transfer online or in cash (from and to Europe or through the KoronaPay network);
use KoronaPay Mobile app (“Mobile App”) with an EU phone number;
visit KoronaPay website at https://koronapay.com/transfers/europe/ (“Website”);
contact us regarding technical support, information requests or provide a feedback;
communicate with us as a representative of a partner or of a counterparty;
apply for a job position at KoronaPay;

Please select the respective section below, to learn about how we process personal data for a particular purpose. Every section covers purpose and legal basis for processing, categories of data processed, why and for how long data is collected, who the data is shared with.

Senders and recipients of money transfers	Process money transfers Perform mandatory identity verification checks Detect and prevent fraudulent transactions and perform anti-money laundering procedures Inform about transfers, verification and other non-marketing events Comply with reporting obligations and public authorities’ requests Process support requests, information requests or feedback Send promotions and offers Conduct a referral program
Mobile App users	Enable you to use the Mobile App Optimise the Mobile App, digital marketing activities Process support requests, information requests or feedback
Website users	Use cookies technology on the Website Process support requests, information requests or feedback
Counterparties and partners	Negotiate, enter-into and perform agreements with counterparties and partners
Job applicants	Assess if a job applicant is fit for a position

The Website and Mobile App are not intended for children and anyone under the age of 18.

You are not obliged to provide your personal data to us. However, when we need your personal data to enter into and perform a contract with you, to verify your identity, perform a transfer, but you do not provide the required data, we may not be able to perform the contract we have or are trying to enter into with you. Should this be the case we will notify you.

Who we work with

Credit Union Payment Center (LLC) (Payment Center)
acts as a joint controller with respect to payment processing activities when a money transfer is made through its network of partners. Payment Center is a holder of Russian Central Bank License No. 3166-K dated 14.04.2014.
CJSC Zolotaya Korona
Under our instructions the company acts as a processor. It provides us with technical and operational facilities to perform money transfers, including sending notifications, fraud detection and customer support. It supports us with the Website and Mobile App maintenance. It provides IT, technical and operational support. All actions are performed under our real-time control.
CJSC CardStandard
Under our instructions, the company provides technical and operational facilities to perform payment card transactions in compliance with the Payment Card Industry Data Security Standards (PCI DSS) and rules imposed by international payment systems such as Visa International and Mastercard Worldwide.
CJSC Billing Center
Under Payment Center’s instructions, the company provides technical and operational facilities to sending messages (via SMS or messengers), including sending mandatory notifications. It acts as a processor.

Currently, the European Commission does not consider Russia as a country that ensures the adequate level of data protection under the GDPR. So, when transferring personal data to these companies in Russia, we have implemented additional appropriate safeguards as required under Article 46 of the GDPR.

To maintain your privacy during the money transfers, we have adopted standard data protection clauses approved by the European Commission in accordance with Article 46(2)(c) of the GDPR with all companies involved in the processing of personal data data.

Standard data protection clauses form an agreement that contains the description of mutual data protection obligations of data exporter and importer in relation to the processing of your personal data. If you need to obtain a copy, please contact us.

Financial institutions and money transfer providers

We cooperate with the network of financial institutions and money transfer institutions in many countries in the world, where you can send or receive money transfers. We also use payment processing services of international payment systems such as Visa International and Mastercard Worldwide.

When transferring data to third parties located outside Cyprus, we follow the below rules:

If you send or receive a transfer to/in countries outside the EEA which are not covered by the European Commission’s adequacy decision (such as Vietnam, Turkey and others), we share your data with partners in these countries in order to execute the money transfer you initiated and to fulfil the contract with you, or perform the contract concluded in your interest (such as when you are the recipient of the transfer). Article 49(1)(b),(c) of the GDPR provides us the legal basis for these transfers. In all cases, the amount of data is strictly limited to what is required for the performance of a transfer and partners undertake strict confidentiality obligations.

Besides, we endeavor to implement additional safeguards by signing the standard data protection clauses with all partners in countries outside the EEA which are not covered by the European Commission’s adequacy decision (in accordance with Article 46(2)(c) of the GDPR).
If you send or receive transfer to/in EEA countries, or countries, ensuring the adequate level of protection, no further safeguards are required in relation to the personal data transfers to such countries according to Article 45 of the GDPR.

Other parties involved

We may also use third-party data processors to obtain some services and software. Such providers grant an adequate, sufficient safeguarding service when it comes to processing your data, since we carefully screen service providers by including specific demands in the event that their services involve the need to process personal data.

We have necessary contracts with third-party providers. This means we are aware of operations they perform with your personal data on our behalf and instruct them how to keep your personal data secure and how long to store it.

Namely, we use services of the following third-party companies:

Third-party cloud and hosting providers which host KoronaPay’s systems or provide IT infrastructure in Europe. KoronaPay has taken measures to ensure that providers protect our users data from inappropriate use and restricts access to it by its’ personnel and subcontractors.
Third-party software providers, who act as processors and provide us with necessary software, e.g. analytical platforms, such as AppsFlyer, TrustPilot, Google Analytics, and business management tools.
We use electronic communication services and services of telecom providers to receive and process your requests, and communicate with you via email, sms, call center or in other way.

Public authorities

We are a financial regulated entity in Cyprus. We are obliged to submit information on fraud or money laundering and suspicious transactions to public authorities as required under the applicable law.

Besides, if we receive a lawful request from law enforcement or other public authorities, we may also be obliged to disclose your information to public authorities.

See more details in the section Comply with reporting obligations and public authorities’ requests.

Detailed description of data processing activities

Senders and recipients of money transfers

Process money transfers
Perform mandatory identity verification checks
Detect and prevent fraudulent transactions and perform anti-money laundering procedures
Inform about transfers, verification and other non-marketing events
Process support requests, information requests or feedback
Comply with reporting obligations and public authorities’ requests
Send promotions and offers
Conduct a referral program

When you use the Mobile App for sending money transfers, verify your identity and for other actions, we also process your data as a Mobile App user.

Process money transfers

Purpose and legal basis for processing

Our purpose is to process a money transfer which you initiate in the Mobile App or cash transfers through our Network partners. We collect information about the sender and the recipient of the money transfer.

The legal basis:

- performance of a contract to which the sender is a party: for processing sender’s data (Article 6(1)(b) of the GDPR);
- legitimate interests to perform a contract with the sender: for processing recipient’s data; to perform our obligations under a money transfer agreement with a third party (network of partners, etc.): for processing transfers received from a third-party provider we have an agreement with; to keep data that is necessary to exercise and defend our legal claims in case a dispute arises (Article 6(1)(f) of the GDPR);
- compliance with legal obligations of KoronaPay as required by laws on anti-money laundering and combating the finance of terrorism (“AML”) as well as accounting requirements (Article 6(1)(c) of the GDPR).

Personal data we process

To process a money transfer, we need information about the sender, recipient and payment details. Depending on the type of transfer (card to cash, card to bank account, bank transfer to cash, cash to cash, etc.) the exact data we collect is different.

About a sender:

Full name, date of birth, permanent address and phone number;
Additional identification data depending on the transfer amount, sender’s and recipient’s details, risk level (please see section Perform mandatory identity verification checks);
Bank account details: IBAN, SWIFT, full name, payment date;
Bank card details: card holders’ name, card number (PAN), card expiration date, security code (CVC/CVV). For other types of payments different data may be used, depending on your provider (for example, Klarna). All card information is processed by a PCI DSS compliant company.

About a recipient:

Full name, destination country, phone number, recipient’s address;
Bank account details: IBAN, full name;
Bank card details: card number (PAN), card expiration date. All card information is processed by PCI DSS compliant company.

Money transfer details:

country of transfer origin and destination country, type, amount, currency, purpose description, time and date of sending and processing the transfer, order ID, Money Transfer Control Number (MTCN), unique id of a card transaction (RRN).

We may also collect additional data if it is required under the legislation of a transfer destination country in order to enable the transfer to this country or to Detect and prevent fraudulent transactions and perform anti-money laundering procedures.

Depending on a type of transfer, we receive this information directly from the sender in the Mobile App, from network of partners through which a transfer was initiated was initiated.

Why we need your data

We need this information to process a payment order initiated by a sender in compliance with the transfer terms and obligatory requirements set for money transfers. The sender’s data (such as full name, date of birth, permanent address and phone number) is also saved in the sender’s account in the Mobile app and is available for the user at any time.

How long do we store your data

According to AML legislation, we must retain user account and all related data and documents for at least five (5) years after you made a transfer or identity verification request in the Mobile App, any risk is revealed, which requires us to retain data or after the end of business relationship with you. The AML legislation includes Cyprus Law No. 188(I)/2007 The Prevention And Suppression Of Money Laundering And Terrorist Financing Law (see the Article 68), EU Directive 2015/849 on the Prevention of Money Laundering and Terrorist Financing (see the Article 40) and other laws and regulations applicable to us under the EU and Cyprus law (“AML legislation”).

Besides, under Article 72 of the Payment Services Directive (EU) 2015/2366, it is also obligatory to retain evidence of all payment transactions as a proof of proper authorization and execution of payment transactions.

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if legislation changes).

Besides, as transfers are made through the network of partners or Payment Center, these entities may also be obliged to retain your data to comply with national anti-money laundering and other laws they are subject to. For instance, Payment Center is subject to Russian Bank Law No. 395-1 that obliges them to keep the evidence of all executed payments. Furthermore, the Russian anti-money laundering and anti-terrorism legislation requires Payment Center to retain the user activity history for five (5) years after the end of business relationship with a transfer sender.

Third parties involved in processing

Network partners, i.e. financial and money transfer institutions through which a transfer is received or sent;
Payment systems (e.g. Visa International and Mastercard Worldwide), if a transfer is made from or to a card;
Companies which provide IT, technical and organisational support, perform payment card validation, support the infrastructure maintenance;
Cloud and hosting providers which host KoronaPay’s systems or provide IT infrastructure in Europe.

Perform mandatory identity verification checks

Purpose and legal basis for processing

As a licensed electronic money institution, KoronaPay is subject to European and Cyprus AML legislation. So, we must collect and verify data about the senders and recipients of money transfers to prevent money laundering and terrorist financing activities. KoronaPay collects data to the extent strictly necessary to fulfil applicable legal requirements.

The legal basis:

- compliance with legal obligations KoronaPay is subject to (Article 6(1)(c) of the GDPR);
- legitimate interest to develop and improve our identity verification system (Article 6(1)(f) of the GDPR).

Available opt-out options

In accordance with Article 21 of the GDPR, you may contact us to object to using your data to develop and improve the identity verification system. If we receive from you the opt-out request, we will stop using your data for such a purpose.

Personal data we process

The scope of data collected for the verification purpose depends on:

the transfer limits;
the overall amount of money you transferred within a certain period;
the applicable level of risk.

For transfers below the basic limit, KoronaPay requests the sender’s full name, date of birth, permanent address, phone number and a recipient’s full name and bank details.

For transfers above the basic limit and depending on the risk level, KoronaPay additionally collects:

passport or other identity document data. An access to the phone camera is requested to process the photo and to check if it matches with the photo in the official document;
residential status, and employment data. It may be necessary to also collect document that confirms the residential address, e.g. a utility bill;
source of income (a bank statement, payslip, employment contract, an official letter from an employer, etc.)

Besides, additional data can be requested by KoronaPay’s Compliance team if the provided information is insufficient to complete a verification. Read more about the existing limits for transfers and the verification process.

We may use photos of your passport or other identity document you provide us to develop and improve our identity verification system.

Why we need your data

KoronaPay must check validity of the provided document and verify if the person making a payment order is real (not a robot), if a person is a politically exposed person (PEP), if a person is included in a blacklist or falls under any other restrictions. We receive the information from you directly and consult with AML approved sources and lists.

We use an identity verification system that helps us automatically verify documents. To develop and improve this system, we need sample passports or other identity documents photos. We use them to train the system to improve fraud prevention processes and fulfil the AML legislation requirements.

Although the preliminary check is performed automatically, KoronaPay’s Compliance team performs manual examinations to make a decision.

How long do we store your data

According to the AML legislation, we must retain user account and all related data and documents for at least five (5) years after you made any transfer or identity verification request, or any risk is revealed, which requires us to retain data.

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if a legislation changes).

Data that is used to train the identity verification system is erased from the system immediately after use.

Third parties involved in processing

Companies which provide IT, technical and organisational support, maintains infrastructure;
Cloud and hosting providers which host KoronaPay’s systems or provide IT infrastructure in Europe.

Detect and prevent fraudulent transactions and perform anti-money laundering procedures

Purpose and legal basis for processing

Our purpose is to detect and prevent payment fraud, terrorism financing and money laundering by assessing transfers and monitoring them on an ongoing basis. We are required to do so by the AML legislation.

The legal basis: - compliance with legal obligations KoronaPay is subject to (Article 6(1)(c) of the GDPR).

Personal data we process

The volume of personal data we use for identifying and detecting fraudulent activities depends on the type of transfer, risk level, restrictions in place and fraud scenarios we identify.

Generally, we use the following categories of personal data:

information about a sender and recipient, history of transfers, changes of critical data, information on involvement in illegal activities, blacklist status (these data is mostly received to Perform mandatory identity verification checks and to Process money transfers);
information about mobile device, such as device ID, device type, operating system, geolocation data (IP address and GPS), parameters of logins to accounts, and other technical data;
activity in the Mobile App and on the Website, such as events of registering, calculating the tariff, selecting the specific transfer destination, sending the money transfer, etc.;
contact information: to contact the sender if we identify a suspicious operation.

The Compliance team can request additional information on the sender, recipient and source of funds or the purpose of a transfer, if it is necessary to prevent fraud, terrorism financing, money laundering or any other illegal activities.

Why we need your data

Under the AML legislation, we are required to collect and process data:

to perform anti-money laundering and anti-terrorism procedures
Under our internal procedures, we assess users’ profiles, establish limits for money transfers and check if a person is not in any sanctions list, list of restricted or prohibited persons, to whom money transfer services cannot be provided. We also improve our due diligence procedures and applied measures based on analysis of data.
to detect and prevent fraud
According to our internal procedures, we divide all transfers into different risk levels. Depending on this and several other factors, we monitor money transfers and can temporarily block a transfer to manually investigate and assess if it involves any illegal activity. We may also need to call or email you to be sure that the transfer is valid.

How long we store your data

According to AML legislation, we must retain user account and all related data and documents for at least five (5) years after you made any transfer or identity verification request, or any risk is revealed, which requires us to retain data.

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if a legislation changes).

Third parties involved in processing

Companies which support anti-fraud activities, perform payment card validation, provide IT and organisational support;
Cloud and hosting providers which host KoronaPay’s systems or provide IT infrastructure in Europe.

Inform about transfers, verification and other non-marketing events

Purpose and legal basis for processing

Our purpose is to send payment receipt, important information on the transfer and how it can be received, remaining amount of the limit, inform you about the identity verification process, maintenance activities or other service issues.

The payment receipt is sent to your email. We may also inform you via push-notifications in the Mobile App, SMS or messengers. In some cases, our customer support team may call you.

Under Articles 46, 48 and 49 of the Payment Services Directive (EU) 2015/2366, KoronaPay is obliged to make payment information available to the sender and the recipient after the money transfer is initiated and executed.

The legal basis:

- compliance with legal obligations: for mandatory notifications required by law (Article 6(1)(c) of the GDPR);
- legitimate interest to provide the necessary information and to facilitate correct use of the money transfer service: for all other notifications (Article 6(1)(f) of the GDPR).

Personal data we process

We do not collect any additional data for such communications. Instead of that, we use the contact details you have already provided us with in your profile or while making a transfer. Namely, we use the following information to contact you:

Contact details (phone, email, name of the sender and recipient, push-token of users’ devices that allows us to send push-notifications);
The transfer details, such as e.g. status, amount, currency, destination, date of sending, MTCN; identity verification details and its status, to the extent required for a particular notification.

Why we need your data

We need to keep you informed about the money transfers you have initiated in the Mobile App, identity verification process, and any operating issues that may affect your interaction with our services. Our aim is to facilitate correct use of our services and inform recipients on the possible options on how to receive transfers.

How long we store your data

At the end of the retention period, we will erase your data, unless we are required to keep your data longer on other legal grounds (e.g. as a part of an investigation or if a legislation changes).

Third parties involved in processing

Companies which issue notifications on the status of money transfers, technically enable sending messages (via SMS, messengers, etc), provide IT and organisational support;
Cloud and hosting providers which host KoronaPay’s systems or provide IT infrastructure in Europe.
Telecom providers and electronic communication services through which a notification is sent.

Comply with reporting obligations and public authorities’ requests

Purpose and legal basis for processing

By law KoronaPay is obliged to notify the Cyprus Unit for Combating Money Laundering (“MOKAS”) about events which are or could be related to money laundering or terrorist financing activities.

Besides, we are obliged to fulfill requests that we may receive from law enforcement and other public authorities and courts, e.g. in case of a criminal or government investigation. We always review the legality of disclosure requests before providing any information.

As the transfer service is provided through the chain of financial institutions, including Payment Center, these institutions may also be subject to reporting requirements under the legislation applicable to them and have to comply with disclosure requests.

The legal basis: - compliance with legal obligation KoronaPay is subject to (Article 6(1)(c) of the GDPR).

Personal data we process

When required by law, we use your personal data to file reports to MOKAS and respond to official request of public authorities. This data is received from you to Process money transfers, to Perform mandatory identity verification checks and to Detect and prevent fraudulent transactions and perform anti-money laundering procedures.

The reports may include the following information:

Name, residential and business address;
Occupation data;
Information on passport or other ID;
Details of suspicious activities and reasons for considering it;
Documents related to a suspicious transaction.

Why we need your data

Notifying the public authorities and compliance with disclosure requests is our legal duty.

How long we store your data

We keep the records of communications with the public authorities for five (5) years. At the end of the retention period, we erase data, unless we are required to keep your data longer on other legal grounds (e.g. as part of an investigation).

Third parties involved in processing

We transmit reports and disclose information to public authorities which are vested with the right to request and process such information by law.

Process support requests, information requests or feedback

Purpose and legal basis for processing

Our purpose is to process requests when you call us or send a request. Users can reach us out via the following channels:

call to our call center; All calls are recorded for the quality control purposes. You can always message us, if you prefer not to be recorded;
message in the Mobile App chat;
submit a form on the Website;
email us to specified contact emails.

In general, we may receive the following types of requests:

notification on the misuse of payment or user account information
Under the Payment Services Directive (EU) 2015/2366 (Article 69(b)) and the Online Money Transfer Services Terms & Conditions (article 11.4, 11.5), users are obliged to notify KoronaPay if they suspect the loss, theft, copy or the misuse of their payment or user account information. Upon the request, KoronaPay must take all reasonable steps to prevent its further unauthorised use.

support requests concerning transfers, use of the Mobile App and other requests, such as those related to personal data processing
Our purpose of processing will be to fulfil your request. To help you with a technical support issue, we may need to ask you to provide your contact data, identification details and additional information about the case.

feedbacks
It is important for us to receive your feedback to make our service better. Sending the feedback is voluntarily for all users. Processing users’ feedback constitutes our legitimate interest to resolve an issue you have troubles with, identify deficiencies in our services as they occur, to assess views of existing users on using money transfer services and receive ideas for improvements.

The legal basis:

- compliance with legal obligation for processing of account misuse requests or other requests we are required to process by law (Article 6(1)(c) of the GDPR);
- performance of a contract with you (Article 6(1)(b) of the GDPR);
- legitimate interests to answer requests of potential customers, processing of feedbacks and ensure quality control of the customer support conversations; to keep data necessary to exercise and defend our legal claims in case a dispute arise (Article 6(1)(f) of the GDPR).

Personal data we process

The information we need may vary depending on the nature of your request and the communication channel you choose. Generally, we process the following categories of data:

contact data (full name, phone, email);
data about your account and transfers, if it is relevant for the request solving. We may also ask for your MTCN (unique transaction number) to find the transfer in our systems;
content of request or feedback;
other details related to the case e.g. location data, if you want to know about available agent locations for transfer withdrawal by cash;
recordings of phone calls to the call center.

Why we need your data

We need to process personal data to identify you as sender or a recipient of a transfer, a user of the Mobile App, understand your case and to help you to resolve it. Recording of the calls is necessary to ensure quality control of the customer support provided to existing and potential customers.

How long we store your data

We process data from the information request until the issue is resolved or we have fulfilled your request. We then store data for up to 3 years to be able to exercise and defend our rights in case a dispute arise. If a request relates to a money transfer, verification or any risk, such information is stored during 5 years to comply with anti-money laundering laws requirements.

Third parties involved in processing

CCompanies which maintain the technical infrastructure for receiving your requests and provides customer support services;
Third-party software provider (TrustPilot service), which arranges receiving feedbacks.
Telecom providers and electronic communication services through which we communicate with you.

Send promotions and offers

Purpose and legal basis for processing

Our purpose is to notify you about new system features, promotions and offers that we expect to be of interest for you.

To make offers specific and commercially reasonable and to reduce the number of messages as well, we use your personal data to define what message is the most relevant for you. We may use different communication channels, including push-notifications, SMS, messengers or email.

The legal basis:

- legitimate interest to promote our services among the users and inform you on the best possible way to use the service (Article 6(1)(f) of the GDPR). You can unsubscribe at any time.

Available opt-out options

In accordance with Article 21 of the GDPR, we provide you with the following options to object to direct marketing:

there is an unsubscribe link in every communication you receive from us, where technically feasible;
you may switch off the option of receiving any marketing information from us in the Mobile App profile settings;
you may contact us with the relevant request.

If we receive from you the opt-out request, we will stop sending you our promotions and offers or any other marketing communications. Please note, that this process can take some time, because at the moment you send an opt-out request some message sending scripts may have already been initiated.

Personal data we process

Contact details and communication channel (phone number, email);
History of your transfers and Mobile App use, such as frequency of money transfers, destinations and money transfer amounts, if you completed transfers that you initiated, whether you are a new or existing user, customer segment, and other criteria of your account that may be relevant for a particular communication;
Location data to inform you on territory-specific offers;
Information on how you interact with our promotions and offers.

Why we need your data

KoronaPay conducts these processing activities to notify you about relevant news, promotions and offers and to make the communications relevant for you.

How long we store your data

The option to unsubscribe is available to you in all our messages. If you unsubscribe, KoronaPay will stop sending to you any marketing information.

Basically, we store data for five (5) years, unless you ask us to delete your account earlier. The possibility to delete account may be restricted due to anti-money laundering and anti-terrorism requirements (see Right to erasure of personal data).

Third parties involved in processing

Companies which support the Mobile App maintenance, preparation of marketing communications, technically enable sending messages (via SMS, messengers, etc), provide IT and organisational support;
Telecom providers and electronic communication services through which a notification is sent.

Conduct a referral program

Purpose and legal basis for processing

We have a referral program that allows our users to receive a reward. See more details on the program here. We issue a promo code and check if a sender used it during a transfer. If conditions of the referral program are met, we ask for bank details to pay the reward.

The legal basis:

- performance of a contract to which the sender is a party (Article 6(1)(b) of the GDPR);
- compliance with legal obligations: for storage of accounting information (Article 6(1)(c) of the GDPR);
- legitimate interest to exercise and defend our legal claims in case a dispute arise (Article 6(1)(f) of the GDPR).

Personal data we process

Information about the sender of a transfer, promo codes issued and used (name, user id, promo code number, issue date);
Information on transfers made with the use of a promo code and necessary to check if the eligibility criteria and conditions are met (amount of a transfer, if a user already used other promo codes, etc.);
Bank information (IBAN, recipient name) to pay a reward.

Why we need your data

We process data to issue a promo code for a sender of a transfer, check if the promo code was used and if the eligibility criteria are met. Besides, to pay the reward we ask you to provide bank details. We must keep data on all executed payments made under the program for accounting purposes.

How long we store your data

We store information on all payments made and related data within five (5) years after such a payment is made, to comply with laws and to be able to exercise and defend our legal claims in case a dispute arise.

Third parties involved in processing

Companies which provide IT, technical and organisational support, maintain infrastructure;
Telecom providers and electronic communication services through which we communicate.

Mobile App users

Enable you to use the Mobile App
Optimise the Mobile App, digital marketing activities
Process support requests, information requests or feedback

When you send or receive money transfers, we also process data as a sender or recipient of money transfers.

Enable you to use the Mobile App

Purpose and legal basis for processing

To become a new user of our online money transfer services, you must sign up in the Mobile App. The registration requires you to enter your mobile phone number and confirm it.

While using the Mobile App for money transfers and verification your identity you enter a number of information about the transfer, the sender and recipient of data. We store this data and make it available to you in the profile. The Mobile App allows you to save the payment card credentials for using them in further payments you perform.

We also log actions and events in the Mobile App to Optimise the Mobile App, digital marketing activities and to Detect and prevent fraudulent transactions and perform anti-money laundering procedures.

The legal basis:

- taking steps for entering into contract (Terms & Conditions) with you and perform the contract (Article 6(1)(b) of the GDPR);
- legitimate interest to provide you the Mobile App functionality (Art. 6(1)(f) of the GDPR.

While using the Mobile App, you are also asked to grant access to:

contact list: to enable to search for the recipient’s phone number directly from the contact list and avoid errors in entering the data;
location data: to automatically fill in the country;
phone camera: to take a photo for an application to Perform mandatory identity verification checks. You can also scan the card and automatically fill the card details in the payment order.

The legal basis: consent you provide by allowing the respective function in the Mobile App (Article 6(1)(a) of the GDPR).

Personal data we process

phone number
assigned user-id, push-token of your phone, IP-address, user-agent, session-id, log files and other technical information with respect to your device and your actions in the Mobile App;
contact details form the contact list, location, data from camera;
information on your profile, transfers or verification requests made in the Mobile App (from the process to Perform mandatory identity verification checks and Process money transfers).

Why do we need this data

We identify you as a user by the phone number you enter. KoronaPay provides the Mobile App to users with EU-based phone numbers. Other users are supported by Payment Center.

Once registered, all transfers and verifications under your user account will be associated with this phone number. We also create a user ID that is uniquely associated with your phone number. We use this ID to organise data interchanges between our internal systems.

An access to contact list, location and other non-essential features is asked to make your user experience in the Mobile App better.

Available account management options

You can delete your account by using the relevant option in the Mobile App or write a request to kpesup@koronapay.com. Please include in the message the phone number your account is linked to.

The possibility to delete an account may be restricted due to anti-money laundering and anti-terrorism requirements we are subject to. In such a case we will block your account. See more details in the section Right to erasure of personal data.

Once the account is deleted or blocked it is impossible to use it or to register a new account with the same phone number.

How long we store your data

Third parties involved in processing

Companies which provide IT, technical and organisational support, provide infrastructure and arrange the sending of a confirmation code to your phone number.

Optimise the Mobile App, digital marketing activities

Purpose and legal basis for processing

In the Mobile App you operate with financial data and we need to make sure that the app works correctly. We use our own logging tools to monitor the continuity of a Mobile App and to collect information about the circumstances of the failure if it occurs. Our purpose is to collect the data about the way you use the app (user account event log) to detect and fix technical issues in a timely manner.

Besides, we use third-party services (e.g AppsFlyer) to gather information on how you interact with the Mobile App, to show you the information on promotions and offers on the Internet, including search engines, public web resources and social networks.

The legal basis:

- legitimate interest to ensure that the Mobile App works correctly, to analyse the users behavior for improvement and marketing of our services (Article 6(1)(f) of the GDPR).

Available opt-out options

In accordance with Article 21 of the GDPR, you can refuse from logging your data for analytical and marketing purposes. You can do so in the Mobile App account settings or by contacting us.
When you see our advertising, you may use an option of “stop seeing this ad” (by clicking to close the specific ad) which is available on search engines and in social networks.

Personal data we process

user account event logs, such as registering in the Mobile app, calculating the tariff, sending a money transfer, selecting the specific transfer destination, adding the incoming money transfer to the account or card, etc;
user account data, such as assigned user_id, time zone, IP-address, language settings;
user errors, such as the sequence of filling in forms or common mistakes users make;
information about the mobile device, such as device type and model, type and version of operating system, network connection type and speed, available memory, accesses you granted for our Mobile App;
information about the installed version of our Mobile App: id, version, installer data;
system settings, such as screen resolution, screen colour depth and other technical data;
information about the source of visit, interaction with our marketing campaign, etc.

Why we need your data

We use logging and analytical tools to ensure that the Mobile App works properly and is easy to navigate within. We also conduct these processing activities to promote the money transfer services on the Internet.

How long we store your data

We store logs and technical data in analytics for up to two (2) years. Some data is included in your account profile, in which case it is stored for as long as you use an account or five (5) years (see process Enable you to use the Mobile App).

Third parties involved in processing

Companies which support maintenance of the Mobile App and customer support services;
Third-party providers of analytical platforms (such as e.g., AppsFlyer) and digital marketing platforms.

Website users

Use cookies technology on the Website
Process support requests, information requests or feedback

Use cookies technology on the Website

Purpose and legal basis for processing

On the Website, we use cookies technology that gathers information on your settings, how you use the Website, from which sources or marketing campaign you came to the Website, how much time you spent on the Website and which pages you visited.

This allows us to obtain insight on how to improve our Website or what new features and products we should develop. We also use the data to inform the audience for our digital marketing activities, and to assess the efficiency of our digital marketing campaigns.

The legal basis:

- consent: for analytical and marketing cookies (Article 6(1)(a) of the GDPR);
- legitimate interest to ensure that the Website functions properly: for necessary cookies (Article 6(1)(f) of the GDPR).

Available consent withdrawal options

You can always change your choice by using the Cookie Control function provided in the bottom of the Website or by adjusting the Website settings in the web browser you use.

Personal data we process

• Analytical and marketing cookies, e.g.:

Name	Purpose	Provider
_ga	To collect and analyse information about how visitors use our Website. We use the information to compile reports which help us to improve the Website and evaluate effectiveness of marketing campaigns and to adapt them to target audience.	Google Analytics
_gid
_gat_UA-*

• Necessary cookies, e.g.:

Name	Purpose	Provider
Client-id	To know what choice, you made for cookie management.	CJSC Zolotaya Korona
CookieControl	To know what choice, you made for cookie management.	CJSC Zolotaya Korona
qpayweb/3.0_*	To show you the correct landing page and language of the Website depending on your location	CJSC Zolotaya Korona

• other technical data (user agent, screen resolution, screen colour depth; a source from which you are redirected to the Website, timestamp, etc.).

Why we need your data

We conduct these processing activities to improve our Website and your user experience. Data is also necessary to gain an understanding of our audience for marketing campaigns on the Internet and to promote our money transfer services.

Typical scenarios for use of the analytics are the following:

Analysing visiting statistics (such as the number of active users), behaviour patterns and user errors (such as the sequence of filling in forms or common mistakes users make), clicks and scrolls;
Evaluating KPIs for specific services or categories of services;
Analysing how many users are redirected from our marketing campaigns and organic search engine results.

We use analytical and marketing cookies only if you allow us to do so. When visiting and using the Website, you can adjust cookies settings to allow the use of cookies or disable them.

How long we store your data

A retention period for the cookies is set for each cookie type and is commonly limited to three (3) months. They automatically expire after the set retention period. You can also delete cookies from your device in the browser settings.

Third parties involved in processing

Companies that support the Website maintenance and perform analytical and digital marketing tasks upon our request;
Third-party processors that provide us with analytical platforms, such as Google Analytics.

Counterparties and partners

Negotiate, enter into and perform agreements with counterparties and partners

Negotiate, enter-into and perform agreements with counterparties and partners

Purpose and legal basis for processing

We are constantly working on extension of our business network to provide money transfer services to our users. Besides, we may engage third-party service providers and outsource some activities.

To communicate and negotiate engagement conditions with potential counterparties we collect, and process contact information about representatives of such counterparties. Also, when concluding a contract we receive information on the signatories of the agreement and the basis of their authorities.

With respect to money transfer provider and other partners, we collect a due diligence file before proceeding with the engagement. We must make sure that partners follow our standards and there are no reputational, regulatory, or other commercial risks arising due to engagement of a partner. From time to time, we may also ask to confirm whether the provided information is still up to date.

The legal basis:

- taking steps for entering into a contract with a data subject and perform the contract, if a contract is signed with an individual (Article 6(1)(b) of the GDPR);
- legitimate interest to enter into an agreement and perform it as well as to conduct necessary due diligence procedures, if an agreement is signed with a legal entity; to keep data necessary to exercise and defend our legal claims in case a dispute arises (Art. 6(1)(f) of the GDPR);
- compliance with legal obligations KoronaPay is subject to, e.g. AML legislation (Article 6(1)(c) of the GDPR).

Personal data we process

Contact details (name, title, company, email, phone);
Legal information (basis of authorities, details of power of attorneys, registered address);
Content of the agreement and negotiations;
Information on directors, shareholders and beneficial owners for due diligence (name, passport or other identification document, date of birth, residence address, share amount, other facts necessary for due diligence as required by law and our internal procedures);
Bank information (IBAN, recipient name).

Why we need your data

We need data to contact potential and existing counterparties and their representatives, to conclude legally valid contracts with duly authorized representatives. We must conduct due diligence procedures to ensure the safety and quality of our services and to comply with applicable requirements.

How long we store your data

We store information within the period of a contract’s validity and five (5) years after its termination, to comply with laws and to be able to exercise and defend our legal claims in case a dispute arises.

Third parties involved in processing

Cloud and hosting providers which host KoronaPay’s systems or provide IT infrastructure in Europe;
Telecom providers and electronic communication services through which we communicate.

Job applicants

Assess if a job applicant is fit for a position

Assess if a job applicant is fit for a position

Purpose and legal basis for processing

We collect and process information from CVs and conduct interviews to assess if you are fit for an open position. We receive such information directly from you as a job applicant when you contact us. Alternatively, we may collect data from recruitment agencies, websites you posted your CV on and publicly available sources, if any.

We use contact details to ask if you are interested in a job position and further communicate with you. We collect only information that is necessary and enables us to assess whether you comply with the requirements set for a job position.

If you express interest in applying for other positions at KoronaPay which may later be opened, we keep your data.

The legal basis:

- legitimate interest to employ personnel who are fit for the for position (Art. 6(1)(f) of the GDPR);
- consent for keeping data of job applicants who expressed interest in other positions at KoronaPay (Article 6(1)(a) of the GDPR).

Personal data we process

Contact details (name, email, phone);
Education and experience information (employment period, occupation, responsibilities, information on diplomas, trainings accomplished, licenses obtained, skills, etc.);
Results of an interview and information that a job applicant provided to us in their own initiative.

Why we need your data

We need your data to assess if we can offer you a position that fits your CV and our job requirements. We need to evaluate your education, previous experience, and skills to make this decision.

How long we store your data

WWe store information during the whole recruitment process, i.e until a decision on successful or unsuccessful recruitment is made. After that, we promptly delete personal data, unless a job applicant has confirmed their interest to apply for other positions in KoronaPay which may later be opened. In such a case, we store the data for the next three (3) years.

You can always change your mind and ask us to delete your data if you are no longer interested in a job position.

Third parties involved in processing

Companies and recruitment agencies, which help with the recruitment process;
Cloud and hosting providers which host KoronaPay’s systems or provide IT infrastructure in Europe;
Telecom providers and electronic communication services through which we communicate.

Your data protection rights

Under the GDPR you have several rights as a data subject. Please contact us if you want to exercise any of them. Note that we may request some additional information from you to verify your identity before we fulfill your request.

Right to access

You can ask us whether we are processing your personal data and if so, to receive or get access to a copy of your data (Article 15 of the GDPR).

Right to rectification

You can ask us to correct any errors in your personal data and make the data complete if you believe it is incomplete (Article 16 of the GDPR). You can correct some of your data in the account settings in the Mobile App.

Right to erasure of personal data (‘right to be forgotten’)

You can request us to delete your personal data (Article 17 of the GDPR). Please use the relevant option on the Mobile App or write a request to kpesup@koronapay.com. Please include in the message the phone number that you used to sign up in the Mobile App.

This right is set by the GDPR, but it also has certain restrictions under the GDPR: we are not allowed to delete your data upon your request, if we are required to retain it in accordance with law or it is necessary for the establishment, exercise or defence of legal claims (Article 17(3)(b),(e) of the GDPR).

For instance, if you initiated transfers and/or proceeded with the verification of your identity in the Mobile App, the AML legislation obliges us to retain your information and all related documents for a period of five (5) years. This requirement is set by Cyprus Law No. 188(I)/2007 The Prevention And Suppression Of Money Laundering And Terrorist Financing Law (see Article 68), EU Directive 2015/849 on the Prevention of Money Laundering and Terrorist Financing (see Article 40). So, if we receive your request, instead of deleting it we will block your account and stop processing your data for any purposes other than compliance with the law. Upon expiration of the retention period required by the law, we will delete it entirely.

Once the account is deleted or blocked it is impossible to use it or to register a new account with the same phone number, due to security reasons.

Right to restriction of processing

You have the right to ask us to restrict or suppress the processing of your personal data (Article 18 of the GDPR).

Under the GDPR, we can fulfil this right in any of the cases below:

You challenge the accuracy of your personal data for a period, enabling us to verify the accuracy of the personal data;
You have objected to the processing of your personal data (according to Article 21(1) of the GDPR) and you are waiting for verification of whether our legitimate grounds override your interests, rights, or freedoms.
You believe the processing is unlawful and want to restrict the use of your data instead of deleting your data;
You need us to keep the data for you to establish, exercise or defend legal claims.

Right to data portability

In some cases, you have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format, and, if we can perform it technically, to send your data to other organisations (Article 20 of the GDPR).

Under the GDPR, we can fulfil this right when:

we rely on a consent or performance of a contract with you as the legal basis for such data processing;
we process data with automated tools

Right to object

You have the right to object to the processing of your personal data (Article 21 of the GDPR), if:

we rely on our legitimate interests to process your personal data; and
we cannot demonstrate a compelling legitimate interest that would override you interests, rights or freedoms.

In particular, you have the right to object to processing of your personal data for direct marketing purposes, such as informing about promotions and offers or viewing ads, and for purposes of developing and improving the identity verification system.

To make this process easier, we provide you with the following opt-out options:

unsubscribe link in communications we send you;
switching off the option of receiving any marketing information from us in the personal account settings in the Mobile App;

You may also contact us at any time with the relevant request.

Right to withdraw a consent

If you gave us a consent for processing your data, you can always change your mind and withdraw it at anytime. This right is set by Article 7(3) of the GDPR.

We use consent as a legal basis in the following cases:

use of analytical and marketing cookies (see Use cookies technology on the Website);
keeping data of job applicants who expressed interest in other positions at KoronaPay which may later occur (see Assess if a job applicant is fit for a position).

You can adjust cookies settings either in the web browser or Cookies Control bar on the Website. You may also contact us at any time with the request to stop processing your data for the recruitment purposes.

Right to lodge a complaint

Having received the request or complaint from you, we will make every effort to resolve an issue concerning your personal data.

If you believe it to be appropriate you may address your complain to the supervisory authority in sphere of personal data of the country where you reside. The right to lodge a complaint is set by Article 77(1) of the GDPR.

In Cyprus, the data protection authority is the Office of the Commissioner for Personal Data Protection, which is available via www.dataprotection.gov.cy.

How we protect your data

We implemented appropriate IT and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We follow a risk-based approach, when determining which security measures and technologies to implement.

We protect your data when it is in transit and at rest, all money transfers data are encrypted; we store your data on secure servers; backup copies of data are stored encrypted only and separately from the production system that they were made from; all workstations are equipped with anti-virus protection; there are firewalls to segregate networks.

Payment card data is securely sent and processed by CardStandard Processing Center that is certified under the Payment Card Industry Data Security Standards (“PCI DSS”). In line with this standard and rules of international payment systems (such as Visa International or MasterCard Worldwide), we never keep card security codes and do not store the payment card details in plain text.

We strictly limit access to personal data to those employees, contractors and third parties who have a business need-to-know. All personnel and third parties are bound by confidentiality obligations and are required to follow strict data protection and compliance standards while using and transferring data.

We regularly test the effectiveness of the measures and audit compliance with the set rules and procedures, we monitor security events, identify, and eliminate security vulnerabilities.

We have procedures on how to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach, where we are legally required to do so. Depending on the circumstances of the breach, KoronaPay and Payment Center (acting as joint controllers) may inform data subject separately or jointly, decide on what shall be communicated to a subject and the means of such communication.

Policy Amendment

From time to time, we may change this policy and adopt its new version. The main reasons of policy amendment are introducing new services and features, termination of services or changes in applicable legal requirements.

We will inform you about a new version via a notification on the Website or the Mobile App. In the event of significant changes in data processing terms, such as those concerning the nature or means of processing, we will notify you about changes before they become effective.

Contact details

You can address all your questions concerning our privacy practices to the Data Protection Officer of KoronaPay at privacy@koronapay.eu.

We also keep a separate mailbox for the prompt processing of your request to delete your account. Please send an email to kpesup@koronapay.com if you want to delete your account . Please include in the message the phone number your account is linked to.

You can also ask questions via the call center (see contact phones on the Website) and chat in the Mobile App.

KoronaPay acts as the Payment Center’s representative in the European Union, so you can address questions on how Payment Center processes personal data under the GDPR to privacy@koronapay.eu as well. Nevertheless, you may contact Payment Center directly at mail@rnko.ru.

Under the joint controllers’ agreement, both, KoronaPay and Payment Center are obliged to review all incoming requests related to personal data and forward the request to each other when applicable.