Privacy Policy for the Pago Application

Last updated: 07.04.2026

Preamble

When you confirm that you have read and understood this Privacy Policy (the "Policy") upon creating your account in the Application, we consider that you understand how your personal data ("PD") is used within the Application. Whenever the Applicable Law requires it, or we otherwise rely on this legal basis, we will request your free, informed, specific and unequivocal consent to the processing of your PD. By expressing your consent, you agree that we may collect, use, disclose, process and transfer your PD in accordance with this Policy.

This Policy is intended to present, as clearly and transparently as possible, the manner in which your PD is processed by us (the "Company", defined below) as a data controller. Accordingly, the Policy does not apply to any other processing operation concerning PD carried out by any other natural or legal person, acting as an independent data controller, such as the regulated Payment Institution with which the Company cooperates (see Section 4.3 below).

The document is subject to continuous change. Should you have questions about your PD, please write to us at personaldata@pago.app or, after creating your account in the Application, use the "Say your opinion" section within the Application. Section 8 below contains information about the processing of PD through the site associated with the domain pago.app/it (the "Site") — PD which is collected and processed when you access the Site.

In Brief

At Pago (the "Application"), we want to offer you (the "User") the possibility to pay and/or subscribe to as many services as possible from utility suppliers and other service providers, in one place. To achieve this objective, we must access several categories of PD. We therefore kindly ask you to read this Policy so you understand the relationship between your PD and the Application: who processes your PD, for what purposes and on what legal bases, and what your rights are.

What PD do we process? The Application processes information obtained from you both directly (for example, when you fill in a form or text field within the Application, such as the registration form or the "Say your opinion" section) and indirectly (following an action you perform in the Application, such as connecting to an electronic account of a services supplier). Some of this information is PD (information which may identify you or which may lead to your identification). Among these:

• one category is necessary for the Application to function (for example, the e-mail address is necessary so that we can send you payment confirmations);
• another category is used on the basis of our legitimate interest to improve our services;
• another category is used on the basis of our legitimate interest in ensuring the security of the Application, by preventing cyber attacks and fraud;
• another category is used on the basis of our legitimate interest in establishing, exercising and/or defending legal claims;
• another category is used on the basis of compliance with obligations under the Applicable Law and/or orders issued by competent Authorities;
• another category is used on the basis of a need to satisfy your requests regarding the Site and our activities received through the contact details on the Site, or through the "Say your opinion" section of the Application;
• one last category of PD is processed on the basis of your explicit consent.

You will find more details about the PD processed in Section 3 below.

Who may process your PD through the Application?

1. First, the Company that operates the Application: Pago Italia S.r.l. (more details in Section 1).
2. Second, in developing and operating the Application, we use products and services developed and operated by third parties acting as our processors. They may access a portion of the PD you communicate within the Application and process it according to the purposes we indicate. These third parties and their role are described in Section 4.1 below.
3. Third, a meaningful portion of your PD is collected and processed by Agreed Suppliers (the service providers whose electronic accounts you connect within the Application). You will find more about this in Section 4.2 below.
4. Fourth, certain payment operations (bill payments, utility top-ups, vouchers) are executed through an independent regulated Payment Institution that acts as an autonomous data controller for its own processing purposes, pursuant to Italian banking, anti-money-laundering and payment-services law. This relationship is described in Section 4.3 below.

All PD is processed by third parties which are either located within the European Union and process the PD on EU territory, or which process such PD in accordance with European Union law. We aim to cooperate only with entities that process PD on systems located within the European Union and to use PD-storage services that allow us to store data within the European Union, or in accordance with European Union regulations.

You have several rights in respect of your PD. You will find more about these rights in Section 5 of this Policy.

This Policy is completed by the Terms and Conditions of the Pago App, available at www.pago.app/it/t&c.

1. Details about the Controller

Pago Italia S.r.l. (hereinafter referred to as the "Company"), holder of all rights over the Pago App, observes the private character and the security of personal data processing of each User of the Application, in its capacity as data controller, in accordance with Regulation (EU) 2016/679 (the "GDPR") and Italian Legislative Decree No. 196/2003, as amended by Italian Legislative Decree No. 101/2018 (the "Italian Privacy Code").

Identification data of the Controller:

• Legal name: Pago Italia S.r.l.
• Legal form: Società a responsabilità limitata (S.r.l.)
• Registered office: Via Giuseppe Revere 16, Milan (MI), Italy
• Codice fiscale / P.IVA / REA: 12955520965
• Register: Registro delle Imprese di Milano Monza Brianza Lodi
• Amministratore Unico: Adrian Cighi
• Contact for personal-data matters: personaldata@pago.app

1.1 Data Protection Officer

The Company evaluates on an ongoing basis the requirement to appoint a Data Protection Officer (DPO) pursuant to Article 37 GDPR. For any matter relating to the processing of your PD, and until such time as a DPO is formally appointed and communicated in this Policy, you may contact the Company directly at personaldata@pago.app.

2. Definitions

In this document, the capitalised words have the following meanings:

• "Applicable Law" means any provision, of whatever rank, belonging to Italian law or to European Union law, applicable in any way to the Application, the Site and to the legal relationships arising as a result of interactions between the Company and the Users;
• "Pago App" or "Application" means the software application, in respect of which the Company is the exclusive holder of rights, through which the Users may make electronic payments online to various service suppliers, available for download by Users on their mobile phones through Apple App Store and Google Play, directly, or indirectly through the Site, by redirection. For the purpose of this Policy, this definition applies irrespective of the modality of accessing the Pago App;
• "Account on Third Site" means the Users' accounts and the information found on other websites or applications belonging to the Agreed Suppliers, other than the Pago App, in respect of which the Company has no right and for whose functioning the Company is not liable;
• "Disclosure" means the making of personal data known to unspecified persons, in any form whatsoever, including by making them available or allowing their consultation (as defined in Article 2-ter, paragraph 4, letter b) of the Italian Privacy Code);
• "Italian Privacy Code" means Italian Legislative Decree No. 196/2003, as amended and/or supplemented (in particular by Italian Legislative Decree No. 101/2018);
• "Personal Data" or "PD" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR;
• "Agreed Supplier" means the legal entity included in the Pago App to which the Users may make payments through the functions of the Pago App. Agreed Suppliers are uploaded into the Application insofar as the Company or any of its collaborators has a contractual relationship with them in this regard;
• "Payment Institution" means the independent regulated Payment Institution with which the Company has entered into an outsourcing arrangement for the execution of certain payment operations (bill payments, utility top-ups, vouchers). This entity is described in Section 4.3 below;
• "Services" means the payment services for invoices, charges, insurance policies (where applicable) and any other type of payment offered to the User through the Pago App, as well as ancillary functionalities;
• "Supervisory Authority" means the independent public authority established by an EU Member State, or by the European Union itself, in charge of supervising the application of the data-protection legislation. For Italy, the competent Supervisory Authority is the Garante per la protezione dei dati personali (www.garanteprivacy.it);
• "User" means any natural person who registers and uses the Pago App, accepting the Terms and Conditions. The Pago App is intended for use by persons of full legal age under Italian law; for the minor-consent rule applicable to the information-society-service aspects of the Application, see Section 9 below.

3. The Processed Personal Data and the Purposes of Processing

In connection with the operation of the Pago App, the Personal Data is processed on several legal bases and for several purposes:

3.1 Legitimate interest — improving our services (Art. 6(1)(f) GDPR)

On the basis of the Company's legitimate interest in improving our services, we process the following Personal Data, obtained either from the Account on Third Sites or through the technical capabilities of the products mentioned in Section 4.1:

• 3.1.1. name and surname (in order to validate that a payment is made by a certain person and to minimise the possibility that fictitious persons register accounts within the Application);
• 3.1.2. depending on the type of Agreed Supplier, the phone number and the address relating to any contract between the User and any Agreed Supplier, if they are displayed on any invoice (in order to validate the performance of any payment by the titular / representative of the titular of the ownership / use / access right over the premises indicated at the address on the invoice, and to monitor the Application's territorial coverage);
• 3.1.3. any other information available on any invoice (in order to give the User the possibility to see all details relating to invoices correlated with the Agreed Suppliers, at any time within the Pago App);
• 3.1.4. the type of consumption place associated with the Agreed Supplier which is configured within the Pago App (for example, the parents' home, the holiday home, the domicile), in order to make it easier for the User to identify the amount to be paid for a certain consumption place; this information may also be used to define online marketing strategies;
• 3.1.5. information about the number of accesses to the Pago App and the last access by a certain User (in order to understand how and how often the Pago App is used);
• 3.1.6. information about the town the User comes from, the devices used to access the Application and its operating system (in order to generate usage statistics and to define online marketing strategies in certain geographical areas).

3.2 Performance of a contract (Art. 6(1)(b) GDPR)

On the basis of the need to deliver the Service and to perform all related and subsequent activities for the Users — that is, to make the Application functional — we process the following Personal Data:

• 3.2.1. the e-mail address (in order to validate the creation of an account and to send notifications and other information to the User about their activity in the Pago App — for example, payment confirmations);
• 3.2.2. bank card data (in order to allow the execution of payments through the Pago App); such data is processed by third parties in accordance with the information from Section 7 below, the Company storing this data only for the purpose of displaying it within the Pago App, insofar as the User chooses to have their data retained in order to facilitate subsequent payments; in this case, the Company will store only the card tag (as the User saved it) and the specific token issued by the card processor;
• 3.2.3. the username and password for the electronic payment services available on the sites / mobile applications of the Agreed Suppliers (in order to display (i) the amounts to be paid relating to invoices available in the Accounts on Third Sites, and (ii) the history of payments made by the User and the invoices available in those Accounts on Third Sites); for clarity, the Company processes only the information mentioned in this section from the Accounts on Third Sites;
• 3.2.4. the amount to be paid, the service suppliers to whom the amounts are owed, and the client codes within the systems of the Agreed Suppliers (in order to display this information within the Pago App and to correlate payments with the Agreed Suppliers);
• 3.2.5. the payment date and time relating to each invoice (in order to communicate to the Agreed Supplier the moment a payment was made and to confirm to the User that a payment was made before the due date, where the User requests such confirmation);
• 3.2.6. information related to the selected subscription plan (Free, Premium, Limitless), subscription history and renewal dates, in order to provide the Services and functionalities corresponding to the selected subscription level.

3.3 Security of the Application (Art. 6(1)(f) GDPR — legitimate interest)

On the basis of the Company's legitimate interest in maintaining the security of the Application and the Users' accounts, we process usage data (log data, IP address).

3.4 Pre-contractual measures (Art. 6(1)(b) GDPR)

On the basis of pre-contractual measures taken at your request, for the purpose of satisfying your requests regarding the Site and our activities — received through the contact details on the Site or through the "Say your opinion" section of the Application — we process the Personal Data you provide with your request.

3.5 Legal claims (Art. 6(1)(f) GDPR — legitimate interest)

On the basis of establishing, exercising and/or defending legal claims, we process the Personal Data referred to in Sections 3.1 and 3.2 above.

3.6 Legal obligations (Art. 6(1)(c) GDPR)

On the basis of compliance with obligations under Applicable Law and/or orders issued by competent Authorities, we process the Personal Data referred to in Sections 3.1 and 3.2 above. This includes, in particular, obligations under Italian anti-money-laundering law (in the context of Section 4.3 below) and tax obligations.

4. Additional Information

4.1 Company's Processors

The Personal Data processed through the Application is made available to the following third entities, whose products and services are necessary for the development and operation of the Application. Each entity processes the data only in accordance with the Company's written instructions and in compliance with Article 28 GDPR.

International transfers. Where a processor is located outside the European Economic Area, the Company relies on either (i) a European Commission adequacy decision, (ii) Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914), or (iii) another transfer mechanism permitted by Chapter V GDPR. Copies of the applicable safeguards can be requested at personaldata@pago.app.

4.2 About the Agreed Suppliers

When choosing these entities, the Company takes into account their compliance with applicable Personal Data protection rules. If the Company decides to add or to replace these entities, Users will be notified in advance and will have the possibility to refuse further use of the Pago App should they consider that Personal Data processing by another entity is not favourable to them.

• 4.2.1. The Agreed Suppliers determine the purposes of the processing of Users' Personal Data in respect of the payments made for invoices issued by those Agreed Suppliers.
• 4.2.2. Users who wish to find out more about the Personal Data held by an Agreed Supplier may contact the Agreed Supplier using the contact data indicated within the Pago App, or the contact data provided by the Agreed Supplier when the User became their client.
• 4.2.3. We recommend consulting the personal-data-processing policies which each Agreed Supplier makes available on its official website or at its nearest registered office, subsidiary, branch or working point.

4.3 The Payment Institution — independent data controller

For the execution of bill payments (bollettini), utility top-ups (ricariche) and voucher transactions within the Application, the Company cooperates with Admiral Pay Istituto di Pagamento S.r.l., an Italian Payment Institution authorised by Banca d'Italia under Article 114-sexies of Italian Legislative Decree No. 385/1993 (the "TUB") and registered in the Albo degli Istituti di Pagamento under number 36080.

Identification data of the Payment Institution:

• Legal name: Admiral Pay Istituto di Pagamento S.r.l. (sole shareholder: Novomatic Italia S.p.A.)
• Registered office: Via Benedetto Croce 122–124, Rome, Italy
• Codice fiscale / P.IVA: 04335420404 (VAT Group no. 15851041002)
• Banca d'Italia authorisation no.: 36080

In respect of the payment data processed in connection with such transactions (for example: the identity of the payer, the identity of the beneficiary Agreed Supplier, the amount, the date and time of the transaction, and any information required to discharge the Payment Institution's obligations under the TUB, Italian Legislative Decree No. 231/2007 and Italian Legislative Decree No. 90/2017), the Payment Institution acts as an independent data controller (Titolare autonomo del trattamento), not as a processor of the Company. This is because the Payment Institution has statutory data-processing obligations (in particular under banking supervision, anti-money-laundering and payment-services regulation) which cannot legally be performed solely on the Company's instructions. The commercial relationship between the Company and the Payment Institution is structured as a PSD2 outsourcing arrangement (accordo di esternalizzazione), which is distinct from a data-processing agreement under Article 28 GDPR.

For information on the Personal Data processed by the Payment Institution in its capacity as independent data controller, Users are invited to consult the Payment Institution's privacy policy, available on its website.

4.4 The Term of Personal Data Processing

• 4.4.1. The Personal Data supplied by Users is processed by the Company in electronic format for the entire period during which the natural person providing the Personal Data has the quality of User, as well as for a period of one year following the termination of that quality, unless Applicable Law provides otherwise.
• 4.4.2. After the period during which the natural person is a User of the Pago App, the Personal Data is retained in order to study to what extent certain activities of the Company prompt former Users to reinstall the Application. In any event, after deletion of the User's account from the Application and the elapse of the term indicated in Section 4.4.1, the User's Personal Data will be used only for statistical and analytical purposes, in aggregated form — for example, to present in public contexts information about the number of historical users of the Application and their activity.
• 4.4.3. Data retained for the fulfilment of legal obligations (in particular accounting, tax, and anti-money-laundering obligations in connection with Section 4.3) will be kept for the periods mandated by those obligations.

5. Users' Rights

Users benefit from the following rights in respect of their Personal Data, which may be exercised through the "Say your opinion" section of the Pago App or by sending an e-mail to personaldata@pago.app:

5.1 The right to access the Personal Data

• 5.1.1. Any User may ask the Company, free of charge, once every six months, to confirm whether or not their Personal Data is being processed. If so, the Company shall inform the User about: the purposes of the processing; the categories of data processed and, insofar as these Personal Data are not current / updated / relevant, the right to request rectification, erasure or restriction of processing, or the right to object to processing; the natural or legal persons with access to the Personal Data; the retention period of the Personal Data; the right to lodge a complaint with the Garante per la protezione dei dati personali (www.garanteprivacy.it) or with the Data Protection Authority of the EU Member State of the User's habitual residence or workplace, or of the place of the alleged infringement, insofar as the User considers that they cannot exercise their rights in relation to the Controller.
• 5.1.2. The Company may charge a reasonable administrative fee for providing this information insofar as requests made by a User are more frequent than once every six months; the fee will be communicated to the User at the time a new request is made within the mentioned term.

5.2 The right to rectify the Personal Data

Any User may ask the Company, free of charge, to rectify inaccurate Personal Data concerning them. If the User considers it necessary after the Company's reply, the User may ask for their Personal Data to be completed. The Company may either make the necessary modifications within the User's account in the Pago App or indicate the steps by which the User may make the rectification.

5.3 The right to erase the Personal Data

• 5.3.1. The User may ask the Company to erase the Personal Data concerning them; the Company will comply with the request in the following situations:
• 5.3.1.1. where the Personal Data whose erasure is requested is no longer necessary for the purposes for which it was collected or processed. In this case, the Company will send a reply to the User, explaining the need to continue processing in the light of the purposes of the processing and the consequences of erasure. If the User considers that the processing no longer complies with the purposes, the User may insist on erasure, assuming liability for any effects on the use of the Application following erasure;
• 5.3.1.2. if the User withdraws their consent for Personal Data processing, where the respective Personal Data is processed on the basis of the User's consent;
• 5.3.1.3. if the User objects to the processing in accordance with this Policy; the Company will send a reply indicating the extent to which there are legitimate grounds for continued processing. Where the Company sends newsletters or other commercial communications, the User may at any time and for any reason opt out of receiving further such communications;
• 5.3.1.4. if the User considers that the processing has been unlawful; the Company will reply explaining the extent to which there are legal grounds for the processing. If the User considers that the processing no longer complies with the purposes indicated by the Company, the User may insist on erasure, assuming liability for any effects on the use of the Application following erasure.
• 5.3.2. The Company may refuse to comply with the erasure request if the Personal Data cannot be erased due to legal obligations regarding the Company's activity (in which case the Company will indicate to the User the grounds of the legal obligation) or for storage or statistical reasons (in which case the Company will indicate the measures taken to ensure that the User's Personal Data is processed securely and only in aggregated form).

5.4 The right to restrict the Personal Data processing

The User may ask the Company to restrict the processing of their Personal Data in one of the following cases:

• 5.4.1. the User indicates that their Personal Data is not accurate, and the Company cannot rectify the Personal Data indicated at the time it received the information from the User;
• 5.4.2. the User indicates that the processing is unlawful but does not want the data to be erased, only to have its processing restricted;
• 5.4.3. the User indicates that they wish their Personal Data to remain accessible within the Pago App for the purpose of establishing, exercising or defending a right before any authority, but does not wish it to be processed for other purposes;
• 5.4.4. the User objects to the legitimate interest for the processing, and the Company cannot yet assess whether the Company's legitimate interest prevails over the right exercised by the User.

Where the restriction of processing applies, the Company will inform the User in advance before the moment when the restriction is no longer applicable and the Personal Data is processed again.

5.5 The right to Personal Data portability

The User may ask the Company to send all the Personal Data which the User has provided to the Company (i.e. Personal Data directly entered by the User into the Pago App or relating to the User's preferences in the Pago App), in a format that allows the User to transmit this Personal Data to another entity (for example, another payment services operator), in order to access new services or products. This right may be exercised only in respect of Personal Data processed on the basis of the User's consent or the performance of the agreement with the User.

5.6 The right to object

• 5.6.1. The User has the right to object to the processing of Personal Data on the basis of the Company's legitimate interest, as described in this Policy. The User may send an e-mail to the Company at personaldata@pago.app, or use the "Say your opinion" section, indicating the reason for the objection (in whole or in part).
• 5.6.2. The Company will reply to the User within 30 days of receiving the request, indicating the extent to which it considers that the Company's legitimate interest prevails over the ground for objection indicated by the User.
• 5.6.3. If the User does not wish to receive marketing and/or promotional messages from the Company (insofar as the Company sends such messages), the User may at any time opt out, without any reason.
• 5.6.4. Where the User's exercise of the right is legitimate, the Company will take the necessary steps to cease processing the User's Personal Data.

5.7 Right to lodge a complaint

The User may lodge a complaint with the Garante per la protezione dei dati personali (www.garanteprivacy.it) or with the Data Protection Authority of the EU Member State of the User's habitual residence or workplace, or of the place of the alleged infringement, if the User considers that the reply received from the Company — or the absence of a reply — is unjustified.

5.8 Correspondence

• 5.8.1. To exercise the rights set out above, the User may contact the Company at personaldata@pago.app or use the "Say your opinion" section of the Pago App.
• 5.8.2. The Company will analyse each request individually and communicate with the User to comply with the request as closely as possible to the User's expectations.
• 5.8.3. The Company will reply to all requests within 30 calendar days of receipt. Where an extension of that term is necessary, the Company will inform the User before the expiry of the initial term.

5.9 Delay, limitation or exclusion

The exercise of the rights set out above may also be delayed, limited or excluded in the cases provided for in Article 2-undecies of Italian Legislative Decree No. 196/2003.

6. Confidentiality of Personal Data

• 6.1. The Company uses only the Personal Data it needs to offer the Pago App. If we no longer need to process certain Personal Data, we will cease processing it and inform you accordingly.
• 6.2. When processing Personal Data, the Company grants access only to those employees and collaborators who need such access to carry out their activities in connection with the Company.
• 6.3. Beyond the entities mentioned in this Policy, we will not grant access to the Personal Data to other third entities without first informing you of such a need.

7. Processing Security

• 7.1. The Company is required to administer the Personal Data supplied by the Users through the Pago App in secure conditions.
• 7.2. The Personal Data is protected as follows:
• 7.2.1. from the point of view of the possibility of viewing and accessing the Personal Data, this is encrypted against any unauthorised access; the entire data transfer — including the Personal Data transfer — between the User and the Pago App is encrypted (TLS in transit);
• 7.2.2. from the point of view of the storage of the Personal Data, this is stored through secured cloud services provided by third parties (Microsoft Azure as primary cloud infrastructure and DigitalOcean for selected components), with encryption at rest and access controls consistent with industry standards;
• 7.2.3. all information about the Users' bank cards used within the Pago App is stored and processed on the infrastructure of the card-payments processor Banca Transilvania S.A. (products BT eComm / iPay). The payment information is captured directly in input screens hosted by the card processor; it is not returned to the User's terminal nor to any other system, including the Company's systems. The Company stores only a non-sensitive card tag and a token issued by the card processor, and only to the extent the User opts to retain their card for future payments;
• 7.2.4. all transactions are authorised and processed using encrypted identification keys, unique per card, which are exchanged through a secure channel between the Pago App and the card processor. For any information relating to any payment processing or transaction performed within the Pago App, please write to us at supporto@pago.app.
• 7.3. The security of the User's account also depends on the User maintaining the confidentiality of the login credentials. In this regard, the Company recommends that Users:
• 7.3.1. use a strong password and renew it at regular intervals;
• 7.3.2. avoid using the same password for multiple applications;
• 7.3.3. implement automated systems for securing the information systems used to access the Pago App;
• 7.3.4. avoid storing the account password in unprotected documents or documents accessible by third parties;
• 7.3.5. avoid disclosing the account password to other persons.
• 7.4. The Company will not be held liable for the User's negligence or inaction which compromises the security of the account in the Pago App.

8. About the Site

Within the Site (pago.app/it), the Company collects and processes PD which comes into its possession in the following situations:

• through the contact form available in the "Contact" section, in which case the name and surname, the e-mail address and any other information available within the "Your message" field are collected and processed. The PD collected through this form is processed on the basis of the Company's legitimate interest in building a lasting relationship and a history of correspondence with any person contacting the Company;
• through the contact button available on each page of the Site, where messages are collected and processed with the support of the Intercom product (see Section 4.1), whose personal-data-processing policy is available at www.intercom.com/legal/privacy.

Any changes to this Policy will be announced well in advance of the effective entry into force of those changes.

9. Minors

The Application is intended for use by persons of full legal age under Italian law.

To the extent that any processing of Personal Data of a minor falls within the scope of Article 8(1) GDPR — that is, the offer of information-society services directly to a minor on the basis of consent — Italian law, in exercise of the national discretion granted by Article 8(1) GDPR and pursuant to Article 2-quinquies of Italian Legislative Decree No. 196/2003 (as introduced by Italian Legislative Decree No. 101/2018), sets the minimum age at which a minor may validly give such consent at 14 years. For processing that requires consent and that concerns a minor below that age, the consent of the holder of parental responsibility is required, to the extent the processing takes place at all.

The Company does not knowingly process Personal Data of persons who do not meet these age requirements. If the Company becomes aware that such Personal Data has been collected, it will take reasonable steps to delete that data.

10. Governing Law

This Policy is subject to the provisions of Italian law and to any mandatory provisions of European Union law, and will be interpreted in accordance with them.

Changelog