Privacy Policy

This privacy policy will describe the way Paynetics collect, store and use your personal information regarding the mobile application Destream and Paynetics card as well as the purposes for their collection and the grounds of their collection and processing including the rights of the personal data subjects with regard to Regulation (EU) 2016/679 of the European Parliament and the Council from 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive).

Definitions

"Functionalities" – means all services which Destream app offers, and which are explained in detail in our Terms of Service

"destream card" means the application, through which Destream Services LTD, with seat and management address: Limassol, Cyprus, HE 418613 Gladstonos 139A, 1st Floor, 3032, provides you certain services via its mobile application which you may download for free from Google Play Store and/or App Store and which, when installed in your mobile device, allows you to execute defined payment functionalities which are explained in detail in our Terms of Service.

"Paynetics" means "Paynetics AD", with seat and management address: Sofia, Sofia Municipality, commune of Losenets, 76-A, James Bourchier Blvd., ground floor, entered in the Commercial Register and Register of Non-Profit Legal Entities maintained by the Registry Agency under UIN No. 31574695. Paynetics AD is a company for e-money, holder of a license for performing activity as e-money company, issued by the Governing board of Bulgarian National Bank with Decision № 44 from 11 Април 2016 and is entered into the register kept by Bulgarian National Bank which may be found here. Bulgarian National Bank performs supervision on the activity of "Paynetics" AD. "Paynetics" AD is registered as an administrator of personal data with Certificate № 3721 / 25.01.2015 in the Commission for Personal Data Protection.

"Phyre" means "Phyre AD" - company registered in Republic of Bulgaria with UIN No. 203617076 which technically maintains and exploits Destream App. Phyre provides services as a provider of technical services supporting the provision of payment services without assuming possession of the funds which should be transferred, including through processing and storage of data, the authenticity of the data and the object, the information technologies and the communication network, procurement, provision and maintenance of terminals and devices used for payment services, excluding the services for initiation of payments and information services on accounts. Phyre processes your personal data as a Paynetics processor.

"Paynetics" or "we","our" or "us" is the administrator of your personal data and "Phyre" is the processor of your personal data for the purposes of the Destream App.

This policy represents an important document. We recommend that you read it carefully, print it out and keep a copy for further reference.

How to contact us

In case you have questions regarding the way we collect, store and use your personal information or want a copy of the information we keep for you, please contact us by:
writing to the designated personal data officer in Paynetics at address: 76, "James Bourchier" Blvd, 1407 - Sofia, Bulgaria; or by sending us a message at: [email protected]
In case you do not want to receive marketing messages which you told us previously that you wanted to receive, please contact us by using the aforementioned details.

Personal data and information that we collect from you

"Personal data" is defined in Article 4, paragraph 1 of GDPR (Regulation (EU) 2016/679):
"(1)"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ".
This Privacy policy and personal data protection is intended to inform you as a user about what categories of personal data we may collect or collect from you in relation to the use of the Destream App. We use and we may provide you with the stored data upon your request. We do not collect personal data from no one under the age of 18 years.
From the first contact that we have with you until providing you with Destream App and Paynetics card, we collect personal information for you, including:

Every time you use Destream app, this version of the Privacy policy and personal data protection will be applied. You express your informed and explicit consent to grant your personal data on a purpose to be collected and processed by us. You may find in this policy exhaustive information about the use of the personal data by us. Our application will exert control over the privacy which is related to the way we will process your personal data. Upon granting your personal data you may indicate your consent or rejection to the collection or processing of your personal data.

For what purposes we will use your personal information

We will use your personal information in order to:

Paynetics will notify you about news regarding the product, promotions, bargains, and other promotional messages via push notifications, and via email.

Destream App use Firebase to collect information regarding the use of the mobile application by the users in order to improve the user experience.
Paynetics will contact you via email; the so-called "push notifications" and in-app messages. „Push notifications” are a technique used by applications for portable smartphones, tablets and devices allowing the owners of such devices to receive news, messages etc. via the appropriate application.
In case Paynetics intend to use your personal data for other purposes, you will be notified and asked for your explicit consent about that.

On what grounds we collect and process your personal data:

1. We may process your data for your account and your profile in Destream App ("profile data"). The data for your account is unique and includes your email, mobile phone number and password and your profile may include your name, email, date of birth, nationality and address, photo and telephone number. You provide us with that data in order to register your account and profile and to use our services. The data for the account and your profile may be processed in order to access your profile via the Destream App, and in order to grant you our services by guaranteeing high level of security of our platform, maintenance of protected reserve copies of our database and performing of communication with you. The data for the profile may be processed also for the purposes of granting full access to the services we provide, Destream App, your Paynetics card and monitoring of your activity. The legal ground for this processing is the contract signed between us and our legal obligation to apply mechanisms for identification and high level of authentication at the provision of financial services.

2. We may process your data granted in the process of using our services ("data for using the services"). The data for using the services may include registration files for accessing our platform as well as a history for the granted and used services. The source of data for using the services is our platform where you maintain a registered account and profile. The data for using the services may be processed for the purposes of functioning of the application, provisioning of our services, guaranteeing the security of the Application and services related to maintenance of protected backup copies of our database and contacting you. The legal ground for this processing is the contract signed between us and our legal obligation to apply mechanisms for identification and high level of authentication at the provision of financial services.

3. We may process your personal documents which you upload in our platform via Your registration ("data on the content"). The data on the content in the form of attached files may be processed for the purposes of identification and verification of your identity which enables you to use our website, mobile application and our services. The legal ground for this processing is your consent and our legal obligation to confirm your identity due to reasons related to counter money laundering and financing of terrorists, before granting you the payment services of Destream app and Paynetics card.

4. We may process information contained in any query which you send us about our services ("data on queries"). The information on queries may be processed for the purposes of the supply, the marketing and the sale of the relevant services to you. The legal ground for this processing is your consent to receive information and to improve our communication channels with you.

5. We may process the information related to the transactions made and the granted services which are performed through Destream App and Paynetics card ("transaction data"). The transaction data may include data on the card, the bank account and the transaction history details. The transaction data may be processed with the purpose of granting services and maintaining correct records about these transactions in our system. The legal ground for this processing is the execution of the contract concluded between us or undertaking of steps upon your demand for concluding of such a contract and our legal obligations.

6. We may process the information which you grant us as subscribers of our email messages and/or newsletters ("data on messaging"). The data on messaging may be processed for the purposes of sending of the relevant messages and/or newsletters. The legal ground for this processing is your consent OR the execution of a contract concluded between YOU and us and/or undertaking of steps upon your demand for concluding of such a contract for using of the services Paynetics card.

7. We may process the information containing in or relating to any communication you send us ("data on correspondence"). The data on the correspondence may include the content of the communication and the metadata related to the accomplished communication. Our website generates metadata related to the communication through the contact form or the query form. The data on correspondence may be processed for the purposes of the communication with you and the keeping of archives for required and granted information. The legal grounds for this processing are our legal interests, namely the correct administration of our website and our contract relationships as well as the communications with the users.

8. We may process all personal data indicated in this Policy when this is needed for instituting, prosecution or defense of/against legal actions/claims regardless of whether it is in legal proceedings or in administrative or extrajudicial procedures. The legal ground for this processing are our legal interests, namely the defense and the confirmation of our legal rights, your legal rights and the legal rights of third parties.

9. In addition to the specific purposes, to which we may process your personal data indicated in this Policy, we may also process your personal data when such processing is needed for observing of a legal obligation which we have, or to protect your vital interests or the vital interests of another physical person.

10. Please do not grant personal data to any other person unless we explicitly require you to do so in relation to granting of additional service.

11. The service is managed from technical point of view by "Phyre" AD. By adopting this Policy, you explicitly agree that the technical processing of the data granted to Paynetics AD by you is performed partially by "Phyre “AD on behalf of the administrator.

11.1. We may disclose your personal data to any member of our group of related companies (including but not limited to our daughter companies, authorised representatives, entire company structure), insofar this is reasonably justified for the purposes and the legal grounds indicated in this Policy.

11.2 We may disclose specific personal data required for the purposes of the identification and verification of your identity done by our authorized suppliers or subcontractors when it is reasonably justified for the specific purposes. In any case you explicitly agree, with a view to the services provided by us, that we may grant your data to agencies for credit control or agencies for fraud prevention and other organizations: to verify the entire personal information provided by you in order to confirm your identity. The agencies may record your information and the searches made (even if any application is unsuccessful or not finished).

11.3. We may disclose your personal data also to companies of third parties with a view to the services provided by us. More specifically but without limitation, our services use and rely on the services for processing and storage of Phyre: Firebase. We may disclose your personal data also to card networks and payment schemes, such as MasterCard, VISA: in order to provide you with Destream App, the Paynetics card and the related services.

11.4 We may disclose your personal data to our professional experts, insofar it is reasonably justified for the purposes of the risk management, the getting of professional advices or the instituting, prosecution or defense of/against legal actions/claims regardless whether it is in legal proceedings or in administrative or extrajudicial procedures.

11.5 In addition to the specific releases of personal data indicated in this Policy, we may disclose your personal data when such disclosure is needed for observing of a legal obligation which we have, or to protect your vital interests or the vital interests of another physical person.

12. You explicitly agree and give your consent that you may become a subject of an automated risk assessment, although Paynetics ensures you that the final decisions are always taken by an authorized employee of the company.

13. We may grant your data to certain third persons who may use your personal information in order to send you marketing messages, only in case you have explicitly given your consent for them to do this, and you have approved the purpose for processing of your data.

STORAGE AND DESTRUCTION OF PERSONAL DATA

14. This section shall define the regulations and the procedure for storage of data which are intended to guarantee the observance of our legal obligation for storage and destruction of personal data.

15. The personal data which we process for any purpose(s) whatsoever, should not be stored longer than necessary for this purpose or these purposes.

16. We shall store your personal data, as follows:

16.1 all personal data will be stored for a minimal period of 5 (five) years after the termination of our contact for servicing.

16.2 Your personal data will not be additionally processed in a way incompatible with the purpose(s) for which they have been preliminarily collected.

17. We shall apply appropriate security measures against unauthorised access or non-permitted change, disclosure, or destruction of the data, and against all other illegal forms of processing.

18. When the purpose for which the personal data have been received, is terminated and the personal data are not required any more, we will destroy them or will delete them in a secure way.

19. Regardless of the remaining provisions of this section, we may retain your personal data when such retention is necessary for observing a legal obligation, required from us or to protect your vital interests, or the vital interests of another physical person.

SECURITY

20. We shall respect the security of your personal data and shall use reasonable electronic, cadre and technical measures in order to protect them from loss, theft, change or abuse. Nevertheless, bear in mind that even the best security measures cannot completely remove all risks.

21. We strive to protect the entire information of the application in the proper way. You however bear responsibility for the protection of the privacy of your personal data for identification, by keeping your passwords for access to the Destream App confidential and protected. You should change your password immediately if you suspect that someone has obtained unauthorised access to it or to your profile. If you lose control over your profile, you should immediately inform the responsible contact person in Paynetics, indicated at the beginning of this Policy.

CHANGES

22. Paynetics may update this policy periodically by publishing a new version. That is why you should accept this Policy each time when you register in the application.

23. Regardless from the above said, we retain our right to notify you at the email address provided by you about any changes in the present policy. That is why you should always keep your contact data updated.

YOUR RIGHTS

24. You may require from us to grant you the whole personal information which we store for you, the granting of such information depending on:

24.1 submitting of appropriate proofs for your identity (to that effect we will ask you to submit documents for identity verification via our platform).

24.2 You have the right to instruct us to provide you with your personal data processed by us. Whereas your requests are manifestly unfounded or excessive, in particular because of their recurrence, we may charge a reasonable fee for providing the information or take an action to process your request.

24.3 The deadline for giving a response from Paynetics actually is fixed at one (1) month after receipt of your request. This term may be prolonged by Paynetics with additional term of 10 days. In that case Paynetics will inform you about the extension at your email address or at your telephone number.

24.4. You may require access to your personal data by sending an email to [email protected] or by visiting our application when you have entered through your registered profile.

25. We may retain your personal information for which you have required access within the legally permitted frame.

26. You may require from us at any time to not process your personal data for marketing purposes.

27. In practice, you usually either agree beforehand your information to be used for marketing purposes, or we shall give you the opportunity to renounce the use of your personal information for marketing purposes.

28. Your fundamental rights in accordance with the Law on the protection of personal data and General Data Protection Regulation are:

28.1 right of access;

28.2 right of rectification;

28.3 right of erasure;

28.4 right to restriction of processing;

28.5 right to object against processing;

28.6 right to object against data portability;

28.7 right to file a complaint with a supervisory body; and

28.8 right to withdraw the consent.

29. You have the right to require correction of inaccurate personal data for you and with a view to the processing of your personal data, to supplement incomplete personal data for yourself.

30. In some cases you have the right to request erasure of your personal data without ungrounded delay. These hypotheses arise when: your personal data is not needed any more with regard to the purposes for which the data has been collected or processed; you withdraw your consent for processing made on the basis of consent; you object against the processing in accordance with certain rights of the applicable legislation for protection of the personal data; the processing is for the purposes of the direct marketing; your personal data were illegally processed. Restriction of the right to erase personal data is present when the processing of these personal data is needed for exercising of the right of freedom of expression and information; for observing of obligation arisen by virtue of a normative act; or for instituting, prosecution or defense of/against legal claims.

31.1. You have the right to require restriction of the processing of your personal data in some of the following cases:

31.2. When the processing is restricted due to one of the hypotheses quoted above, such data will be processed, with exception of its storage, only with your consent or with the purpose of instituting, prosecution or defense of legal claims, protection of the rights of another physical person or due to important grounds of public interest for the European Union or a Member State.

31.3. When you have requested restriction of the processing pursuant to paragraph 1, we shall inform you before the revoking of the restriction of the processing.

32. You have the right at any time and on grounds related to your specific situation, to object to processing of your personal data when a processing is performed on one of the following grounds:

33. In case you have explicitly given your consent for processing of your personal data for the purposes of direct marketing (including profiling for the purposes of the direct marketing), you have the right to object against such processing at any time. In case you make such an objection we will discontinue the processing of your personal data to that effect. We will discontinue the processing of your personal data, except when we find out that there are convincing legal grounds for the processing which have priority over the interests, rights and freedoms of the data subject or for instituting, prosecution or defense of legal claims.

34. We will process your personal data for historical scientific purposes or for statistical purposes only if such processing is needed to execute a task performed by considerations for public interest.

35. Insofar the legal ground for the processing of your personal data is:

35.1 a consent; or

35.2 the processing is necessary for the execution of a contract you are a party to or have undertaken steps to conclude a contract upon your request, and this processing is performed in automated ways, You have the right to request personal data from us in a structured, accessible and machine-readable format. A restriction of this right shall be present when the transfer of the data will affect unfavorably the rights and freedoms of third persons. The same will be valid when your personal data are transferred to another administrator (Right of transfer of data).

36. In case you consider that the processing of your personal information is in violation of the laws on data protection, you have the right to file a complaint with a supervisory body responsible for the data protection. You may do this in the Member State of EU where you usually reside, are employed or at the place of the presumed violation.

37. Insofar the legal ground for the processing of your personal information is consent, you will have the right to withdraw this consent at any time. The withdrawal will not affect the conformity with the law of the processing before the withdrawal as well as it will not affect or restrict the processing of any other legal ground or contract.

38. You may exercise your rights with a view to your personal data by written notification to us and to send it to our official contact email address published on our website.

39. We will keep some of your data in order to enable subsequent personal identification, in order to avoid abuse, for rectifying problems, in order to assist to any investigations, in order to apply our General provisions and/or to observe legal requirements for storage of personal data. Therefore, you should not expect that all your personal identifying information will be completely removed from our database in response to your request. We also keep history of the changes made to the granted data, in order to investigate presumed frauds with your profile.

MONITORING FOR QUALITY ASSURANCE AND TRAINING

40. We strive to guarantee that the services we provide to our clients are of possibly the highest standard. With a view to that purpose, sometimes it may become necessary to record the telephonic and electronic messages between our employees and third persons in order to assure the quality and training or if it is permitted by the law only after you have been notified of that. We will always perform monitoring of the communications with accordance to the applicable legislation and at any time will continue to protect the privacy of your messages in accordance with these rules.

International transfers of personal data (including to providers of services assigned to external subcontractors)

41. It may become necessary to transfer your personal information to business partners and services providers residing in territories outside the European Economic Area ("EEA"). For instance, we may maintain the Destream App and the Paynetics card and the services related to it from centres such as USA and we may process payments via other organisations like card networks and payment schemes located outside EEA. Upon downloading and usage of Destream App, of Paynetics card you explicitly agree to that. You should bear in mind that we will never transfer your personal data to a state or to an organisation which does not offer sufficient level of protection, without your explicit informed consent. The protection provided by General Data Protection Regulation (GDPR) follows the data provided by you which means that the rules for personal data protection continue to be applied regardless of the place where the data is located. This is valid also when the data is transferred to a state which is not member of EU (hereinafter referred to “third country”). Here are the cases which the General regulation envisages for authorized transfer of personal data:

How we take care of your personal information

We have at our disposal technical and organisational assurance according to us appropriate for the protection of your personal information against unauthorized or unlawful use, damage or destruction. We have introduced strict rules for privacy (including obligations for data protection) with our services providers from third countries.