2.2. Under relevant data protection legislation, including but not limited to the General Data Protection Regulation ("GDPR"), the UK GDPR and the Data Protection Act 2018 (the "Legislation"), the controller is the party that, alone or jointly with others, determines the purposes and means of the processing of personal data. "Controller", "processor", "personal data" are as defined in the Legislation.
2.3. For any clarification, question or requirement related to your privacy and the processing of your personal data, please contact email@example.com.
3.1. Personal data means any information about an individual from which that person can be identified, directly or indirectly.
3.3. We may also collect, use, and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature
3.4. If not explicitly written to inform you on collecting sensitive personal data (e.g., within the identification procedure), we do not collect any special categories of personal data about you (so called sensitive data; this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic data).
3.5. Information is gathered from you in a range of ways that are outlined below:
3.6. Personal Data that users provide to SORA should not include any of the following data types, and users hereby expressly warrant that they will not provide any of the following:
3.7. SORA may use user Personal Data to send direct marketing to our users via e-mail only when the user has given express prior consent in the relevant contact form. Users may at any time withdraw approval to receive marketing communications by expressly withdrawing consent via their individual SORA interface (wallet).
3.8. SORA will not rely solely on automated user onboarding processes or transaction monitoring, including profiling, with respect to its decisions regarding a user’s ability to transact business via the Website and Services.
3.9. When you use the Website, Products and Services, we automatically collect information about you, including:
3.10. Our use of your personal data depends on how and where you interact with us. However, whenever we process your personal data, we do so on the basis of a lawful “justification” (or legal basis) for processing. In the majority of cases, the processing of your personal data will be justified on one of the following bases:
|CATEGORY OF PERSONAL DATA||THE PURPOSES FOR WHICH WE PROCESS YOUR PERSONAL DATA||LEGAL BASIS||RETENTION PERIOD|
|Account Data, Profile Data, Transaction Data||Fulfilment of Services: To enable us to perform the services to you – to carry out our contractual obligations relating to you, to manage our relationship with you which will also include notifying you about changes to our service and changes to our terms or policies.||It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you. It is also in our legitimate interest to ensure quality Services are provided to you.||We will store the data for as long as the agreement shall be in force and for an additional period in which either party can make any legal claims arising out of this agreement.|
|Account Data, Profile Data, Transaction Data||Support Services: To enable us to respond to your queries or requests in accordance with the content of such a query or request.||It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you. It is also our legitimate interest to ensure quality information is provided to users and potential users.||We will store the data for as long as the agreement shall be in force and for an additional period in which either party can make any legal claims arising out of this agreement.|
|Account Data, Usage Data||Marketing Communications: To provide news and information services including email briefings and newsletters.||We will only send you marketing communications where you have consented and expressed a preference to receive such marketing communications, or where we have other lawful right to do so.||Until withdrawal of consent.|
|Technical Data, Usage Data||User Insight and Analysis: To collect insights into how you interact with our services so that we can personalise our communications with you and maintain and improve our websites and services.||Where your personal data is not in an anonymous form, it is in our legitimate interest to use your personal data in such a way to ensure that we deliver our online services to you and our other clients effectively and to ensure quality. Where lawfully required, we may also process your personal data in accordance with your consent to the processing.||We will store the data for as long as necessary to properly perform our Services, in any case not longer than allowed according to the applicable regulation. Until withdrawal of consent.|
|Profile Data, Transaction Data||Compliance with Legal Obligations: To comply with legal and regulatory obligations to which we are a subject (e.g. anti-money laundering).||It is our legal obligation to do so.||We will store the data for a period required under the applicable laws.|
|Account Data, Transaction Data, Technical Data, Usage Data||Safety and Security: For internal operations, including bug fixes, troubleshooting, data analysis, testing, and general security developments.||It is in our legitimate interests to improve the security and use of the Website, Platform and Services, including data security.||We will store the data for as long as necessary to properly perform our Services, in any case not longer than allowed according to the applicable regulation.|
|Transaction Data||Business Sale: In the event that we sell or buy any business or assets, disclose your data to a prospective seller or buyer,||It is in our legitimate interests to deliver accurate information about our business to a prospective buyer. It is also our legal obligation to do so.||We will store the data for as long as necessary to properly perform our Services, in any case not longer than allowed according to the applicable regulation.|
3.11. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at firstname.lastname@example.org.
3.12. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
4.1. Where the legal basis for processing your personal data is your consent, you have the right to withdraw that consent at any time. You can exercise this right by clicking on the “unsubscribe” button on our marketing emails or by choosing a similar opt-out option that we may provide for you to exercise your right to object to the processing of your personal data.
4.2. You may opt-out of receiving promotional messages from us by following the instructions in those messages. If you opt-out, we may still send you transactional or relationship messages.
5.1. Our general approach is to retain your personal data only for as long as required to fulfil the purposes for which it was collected, or to comply with any legal, regulatory or reporting obligations or to assert or defend against legal claims. We generally retain your personal data for 6 years from the end of our relationship, unless local law requires otherwise. However, in some circumstances we may retain personal data for longer periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements.
5.2. In specific circumstances we may also retain your personal data for longer periods of time corresponding to the applicable statute of limitations so that we have an accurate record of your dealings with us in the event of any complaints or challenges.
6.2. We may also share your personal data with law enforcement, data protection authorities, government officials, and other authorities, including when:
6.3. We may also disclose certain personal data to our current or future affiliates, subsidiaries and other related entities, as well as to our operational and business partners and subcontractors when this is necessary for the performance and execution of any contract we enter into with them or you. We may also share your personal data with third parties in connection with potential or actual restructuring, merger or sale of our company or any of our assets, or those of any associated companies, in which case personal data held by us about our users may be one of the transferred assets.
6.4. Other important cases when we share your personal data:
6.5. With respect to US residents, we also may share your information with other financial institutions as authorised under Section 314(b) of the US Patriot Act, and with tax authorities, including the US Internal Revenue Service, pursuant to the Foreign Account Tax Compliance Act ("FATCA"), to the extent that this statute is determined to apply to us.
6.6. We may also share aggregated or de-identified information, which cannot reasonably be used to identify you
6.7. SORA does not process or collect any data. All data collected in the SORA side of the process is collected and transmitted through the interface under PayWings technical implementation. PayWings is involved in the regulated activities, supervised and executed by regulated entities. Privacy and data protection policies of PayWings are also supervised and inspected by SORA to ensure your privacy.
6.8. In accordance with GDPR policy (https://www.paywings.com/privacy-policy/), PayWings only collects and processes the data that are absolutely required for our legitimate business needs, required by the laws and regulations, and we keep audit logs of all accesses and reasons for the particular access to the data whenever such event takes place.
6.9. Our service providers are required to provide sufficient assurances in accordance with data protection law. (e.g. being bound contractually to confidentiality and data protection obligations). We will only share personal data necessary for them to provide their services. For our business requirements that are mentioned at article 6.8., we share your data with our service providers in four main categories:
All of our partners are obligated to protect your data and privacy as required by the laws and regulation.
7.1. We have adopted security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure, or access. We limit access to your personal data to those employees and third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
7.2. For the best possible protection of your personal data outside the limits of our control, your computer or other device should be protected (such as by updated antivirus systems) and your internet service provider should take appropriate measures for the security of network data transmission (such as, for example, firewalls and anti-spam filtering).
7.3. While we take reasonable steps to protect your personal data, we cannot guarantee that the personal data you disclose to us will be 100% secure, nor that any data breach will not occur. You accept the inherent security implications of dealing on-line over the Internet and will not hold us or our processors responsible for any data breach unless it is due to our negligence.
7.4. We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7.6. However, if we do transfer personal data to third parties outside the UK and EEA, such transfer will be based on appropriate legal safeguards. In these cases, we ensure that both ourselves and our partners take adequate and appropriate technical, physical, and organisational security measures to protect your data.
8.1. Websites may include links to third-party websites, plug-ins, channels, or other applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party services and are not responsible for their privacy statements. When you use the third-party services, we encourage you to read the privacy notice of every website or application you use.
9.1. Under certain circumstances, you have the following rights in relation to your personal data:
9.4. For further information regarding your rights, to exercise any of your rights, or if you have any complaints or questions regarding the processing of your personal data, please contact us via email@example.com.
9.3. Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. We will endeavour to respond to your request as soon as possible and in any case within the applicable timeframes.
71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom
Email address: firstname.lastname@example.org
10.2. If your request or concern is not satisfactorily resolved by us, you may approach your local data protection authority.
The Information Commissioner is the supervisory authority in the UK: https://ico.org.uk
We would, however, appreciate the opportunity to deal with your concerns before you approach the authorities, so please contact us in the first instance.