1. Details about the control

Pago Italia SRL (hereinafter referred to as the "Company"), title holder of all the rights over the Pago App (as these terms are defined below), observes the private character and the security of personal data processing of each user of this application, having the quality of personal data controller, according to the provisions of European Union General Regulation on Personal Data Processing no. 2016/679 ("GPDR").

2. Definitions

In this document, the words used in capitals will have the following meanings:

• "Applicable Law" means any provision, of whatever rank, belonging to Italian Law or to the Law of the European Union, in whatever way applicable to the Site and to the legal relationships arising as a result of the interactions between the Company and the Users;
• "Pago App" or the "Application" means the software application, over which the company is the exclusive titular of rights, whereby the Users (as defined below) may make electronic payments online, to various suppliers of services, accesible for being downloaded by the Users on their mobile phones, through Apple App Store and Google Play, directly, or, indirectly, through the Site, by redirecting. For the purpose of these terms, this defition will be used irrespective of the modality of accesing the Pago App (through the Site or with the help of the mobile phone, directly from Apple App Store or Google Play);
• "Account on Third Site" means the Users’ accounts and the information found on other websites or other applications belonging to the Agreed Suppliers (as defined below), besides the Pago App, over which the Company has no right and for whose functioning the Company may not be liable. Insofar as the Application may not connect by an Account from a Third Site, we recommend you to verify if the Third Site presents connection problems before contacting the Company in view to remedy the issue;
• "Disclosure" means the making of personal data to unspecified persons, in any form whatsoever, including by making them available or consulting them (as defined in Article 2-ter(4)(b) of the Italian Privacy Code);
• "Italian Privacy Code" means Italian Legislative Decree No. 196/2003 as amended and/or supplemented (in particular by Italian Legislative Decree No. 101/2018);
• "Personal Data" or "PD" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, according to the definition from the ("GPDR");
• "Agreed Supplier" means the legal entity included in the Pago App to which the Users may make payments through the functions of the Pago App. The Agreed Suppliers are uploaded in the Application insofar as the Company or any of its collaborators has a contractual relationship with them in this sense;
• "Services" means the payment services of the invoices, charges, insurances, as well as any other type of payment offered to the User for free through the Pago App;
• "Supervisory Authority" the independent public authority established by a European Union state, or by the European Union itself, in charge of supervising the application of the Privacy Law (for Italy, Garante Privacy, http://www.garanteprivacy.it);
• "User" means any natural person, over 18 years’ old who registers and uses the Pago App, accepting these terms. For the avoidance of any doubt, the Pago App is not meant for the use by natural persons who do not meet the conditions described in this definition and, explicitely, is not meant to use by the minors (in the sense of the legislation applicable to a certain user);

3. The processed Personal Data,the purposes of processing

For and in relation with the operation of the Pago App, the Personal Data are processed based on several legal grounds and for several purposes:

• 3.1. On the basis of the Company’s legitimate interest to improve our services (art. 6, para. 1, let. f – legitimate interest) of GPDR, we process the following Personal Data, which we obtain either from the Account on Third Sites, or with the help of the technical capacities of the products mentioned at Section 4.1:
• 3.1.1. name and surname (in order to validate that a payment is made only by a certain person and to minimize the possibility that fictive persons register their accounts within the Application);
• 3.1.2. depending on the type of Agreed Supplier, the phone number and the address afferent to any contract between the User and any Agreed Supplier, if they are displayed in any invoice (in order to validate the performance of any payment by the titular / by the representative of the titular of the ownership / use / access right over the objective found at the address indicated in an invoice, and in order to notice the App’s coverage in the territory);
• 3.1.3. any other information available in any invoice (in order to give the User the possibility to see all the details afferent to the invoices correlated to the Agreed Suppliers at any moment, within the Pago App);
• 3.1.4. the type of consumption place afferent to the Agreed Supplier which is configured within the Pago App (respectively, the parents’ home, holiday home, domicile), in order to make easy for the User to exactly identify the amount to be paid afferent to a certain consumption place; Also, this information might be used to define the strategies for online marketing;
• 3.1.5. information about the number of accessing the Pago App, the last accessing by a certain User (in order to understand how and how often the Pago App is used);
• 3.1.6. Information about the town the User comes from, the devices used for accessing the Application and its operating system (in order to create statistics regarding the use of the Pago App and to define strategies for online marketing campaigns in certain geographical areas); all these details are supplied following the integration of Intercom product within the Application, about which you may find out more details in the Section 4.1.2 below.
• 3.2. Based on the need to deliver a service and perform all the activities related and subsequent, to the Users, respectively to make the Application functional (art. 6, para. 1, let. b of GPDR – performance of a contract), we process the following Personal Data:
• 3.2.1. the e-mail address (in order to be able to validate the creation of an account and, also, to send notifications and other information to the User about its activity in the Pago App – for example, payment confirmations);
• 3.2.2. bank card data (in order to allow the performance of payments through the Pago App); such data is processed by third parties, according to the information from Section 7.2.4 below, the company storing this data only for the purpose of displaying them in the Pago App, insofar as the User chooses its data to be upheld in order to facilitate the subsequent payment processes; In this latter case, the Company will save only the card tag (as is has been save by the User) and the specific token issued by the Payment Processor.
• 3.2.3. the user name and password afferent to the electronic payment services available on the sites / in the mobile application of the Agreed Suppliers (in order to be able to display (i) the amounts to be paid afferent to the invoices available in the Accounts of Third Parties, and (ii) the history of the payments made by the User and the invoices available in these Accounts on Third Sites); For clarity, the Company processes only the information mentioned in this section from the Accounts of Third Parties.
• 3.2.4. the amount to be paid, the suppliers of the services for which the amounts to be paid are owed indicated in the invoices and the client codes afferent to the systems of the Agreed Suppliers (in order to show this information in the Pago App and correlate the payments with the Agreed Suppliers to whom the payments are owed);
• 3.2.5. the payment date and hour afferent to the invoice (in order to communicate to the Agreed Supplier the moment when a certain payment was made and, as such, to confirm to the User that a payment was made before the due date afferent to the invoice, insofar as these details are asked by the User).
• 3.3. On the basis of the Company’s legitimate interest to ensure the security of the Application and your account on our legitimate interest in keeping our systems secure; (art. 6, para. 1, let. f legitimate interest) of GPDR, we process the usage data (log data, IP address).
• 3.4. On the basis of a need to take pre-contractual measures at your request (Art. 6.1.b GPDR), satisfying your requests regarding the Site and our activities received at the contact details on the Site or Say your opinion section from the Application, we process the Data that you provide us with your request.
• 3.5. On the basis of establishing, exercising and/or defending legal claims; (art. 6 § 1.f - legitimate interest) of the GPDR, we process the Personal Data which are mentioned in above 3.1 and 3.2 paragraphs.
• 3.6. On the basis of compliance with obligations under Applicable Law and/or orders issued by Authorities based on the need to fulfill legal obligations to which the Data Controller is subject (art. 6 § 1.c of the GPDR - the need to fulfill legal obligations from another source), we process the Personal Data which are mentioned in above 3.1 and 3.2 paragraphs.

4. Additional information

• 4.1. Company’s processors
  The Personal Data processed through the Application is made available to the following third entities, whose products / services are necessary for the Application’s development and operation:
• 4.1.1. Google Ireland Limited, for the product Firebase by Google, used for the development in a centralized and safe environment of the Pago App, and for the product Fabric, used to study the good functioning of the Pago App;
  
  The Policy regarding the personal data processing by Firebase by Google is accessible here, and that by Fabric is accessible here.
• 4.1.2. Solarwinds Worldwide LLC, for the product Loggly, used for being able to view the accessing of the Pago App and the actions performed within the Pago App;
  
  The Policy regarding the personal data processing by Loggly is accessible here.
• 4.1.3. Google LLC, for the product Google Analytics, used for analyzing the users activity on the website pagoplateste.ro / pago.ro;
  
  The Policy regarding the personal data processing by Google Analytics is accessible here.
• 4.1.4. HotJar Ltd, for the product HotJar, used for analyzing the users’ activity on the website pagoplateste.ro / pago.ro;
  
  The Policy regarding the personal data processing by HotJar is accessible here.
• 4.1.5. Amazon Web Services, Inc., for the product Amazon Relational Database Services, used for storing all the data generated by the Pago App;
  
  The Policy regarding the personal data processing by Amazon Relational Database Services is accessible here.
• 4.1.6. Digital Ocean, LLC, for the products Spaces e Tools and Integrations, used as an environment for developing the Pago App;
  
  The Policy regarding the personal data processing by Digital Ocean is accessible here.
• 4.1.7. MixPanel, Inc., whose products are used in order to analyze the users’ activity within the Application, Android version;
  
  The Policy regarding the personal data processing by MixPanel is accessible here.
• 4.1.8. In order to offer the services within the Pago App, the company concludes agreements with various Agreed Suppliers, based on which the latters have the possibility to collect the payments afferent to invoices or other chargings through the Pago App.
• 4.2. About the Agreed Suppliers
  
  When choosing these entities, the Company takes into consideration the observance by them of the provisions applicable in the matter of Personal Data processing. Insofar as the Company decides to add or to replace these entities, you will be notified in advance, having the possibility to refuse any further use of the Pago App should you consider that the Personal Data processing by another entity is not favorable to you.
• 4.2.1. These Agreed Suppliers are those establishing the purpose for the Users’ Personal Data processing, respectively, in the case of the Pago App, for processing the payments afferent to the invoices issued by these Agreed Suppliers.
• 4.2.2. Insofar as the User wants to find out more details about the Personal Data held by the Agreed Supplier about the User, it may contact the Agreed Supplier by using the contact data indicated in the Pago App, or the contact data supplied by the Agreed Supplier when the User become client of this Agreed Supplier.
• 4.2.3. At the same time, we recommend the consultation of the policies regarding the Personal Data processing which each Agreed Supplier makes available for consultation on the official site or at the nearest registered office / subsidiary / branch / working point.
• 4.3. The term of Personal Data processing
• 4.3.1. The Personal Data supplied by the Users will be processed by the Company in electronic format, during the entire period when the natural person supplying the Personal Data has the quality of a User, as well as for a period of one year after the termination of this term, unless the provisions of the Applicable Law specify otherwise.
• 4.3.2. The Personal Data is kept after the period when the natural person is a User of the Pago App, in order to study to what extent certain activities of the Company determine the reinstalment of the Application by the previous Users. Anyway, after deleting the User’s account from the Application and the elapse of the term indicated above at point 4.3.1, the User’s Personal Data will be used only for statistic and analysis purposes, in order to present in various public contexts, relevant information about the number of historical users of the Application and about their activities in the Application.

5. Users’ rights

The Users beneficiate from the following rights in relation with the Personal Data belonging to them, which they may exercise by using the section Say your opinion from the Pago App or by sending an e-mail to personaldata@pago.app:

• 5.1. The right to access the Personal Data
• 5.1.1. Any User may ask the Company, for free, by a request once per 6 months, the confirmation of the fact that there are Personal Data about the User processed or not by the Company. If yes, the Company must inform the User about: the purposes of the processing; the categories of data which are processed and, insofar as these Personal Data are not current / updated / relevant, the right to ask for the rectification, erasure or restriction of such Personal Data proccessing, or the right to oppose the Personal Data processing; the natural persons / legal entities with acces to the Personal Data; the storage term of the Personal Data; the right to submit a complaint with the National Supervisory Authority for Personal Data Processing which is the Garante Privacy (in Italy, www.garanteprivacy.it), or with the Data Protection Authority of the EU Member State where he/she normally resides or works, or of the place where the alleged infringement occurred, insofar as the User considers that it cannot exercise its rights in relation with the Controller.
• 5.1.2. The Company will charge an administration fee for supplying this information, insofar as the requests made by a User are more frequent than once per 6 months, a fee which will be communicated to the User when it makes a new request within the mentioned term, including the previous request.
• 5.2. The right to rectify the Personal Data
  
  Any User may ask the Company, for free, to rectify the inexact Personal Data regarding it. If it deems necessary, after the Company’s answer, the User may ask for its Personal Data to be completed, and the Company may either make the necessary modifications into User’s account from the Pago App, or indicate to the User the steps whereby it may make this rectification himself.
• 5.3. The right to erase the Personal Data
• 5.3.1. The User may ask the Company to erase the Personal Data regarding it, following that the Company complies with this request in the following situations:
• 5.3.1.1. In case the Personal Data whose erasure is asked for are no longer necessary to the Company for fulfilling the purposes for which they were collected or processed. In this sense, the Company will send an answer to the User, explaining the necessity to process the respective Personal Data reported to the purposes of the processing, but also the consequences of its erasure. Insofar as the User considers that this processing no longer complies with the purposes indicated by the Company, it may hold on positions as regards the erasure of the Personal Data, assuming also the liability for any effects related to the use of the Application following the erasure of these Personal Data;
• 5.3.1.2. Should the User withdraw its consent for the Personal Data processing, if the respective Personal Data are processed based on the User’s consent, as legal grounds (you may find more details about the grounds based on which we process the Personal Data in Section 3 above);
• 5.3.1.3. If the User opposes the processing of the Personal Data, according to the provisions of this Policy; the company will send an answer to the User, indicating the extent to which there are legitimate reasons for further processing the Personal Data. In the situation when the Company sends a newsletter to the Users or other commercial communication means, the User will have at any time and irrespective of the reason, the possibility to choose not to receive such communications anymore;
• 5.3.1.4. If the User considers that the Processing of the Personal Data was illegal; The Company will send an answer to the User, explaining the extent to which there are legal grounds for processing the Personal Data; Insofar as the User considers that this processing no longer complies with the purposes indicated by the Company, it may hold on positions as regards the erasure of the Personal Data, assuming also the liability for any effects related to the use of the Application following the erasure of these Personal Data;
• 5.3.2. The Company may refuse to comply with the User’s request if the Personal Data whose erasure is requested may not be erased due to any legal obligations regarding the Company’s activity (in this case the Company will indicate to the User the grounds of this legal obligation), or due to storage or statistic reasons (in this case the Company will indicate to the User the measures it may take in order to make sure that the User’s Personal Data are processed in a safe manner and, at the same time, that the processing takes place only for giving aggregate information about the User’s conduct in relation with the Pago App).
• 5.4. The right to restrict the Personal Data processing
  
  The User has the right to ask the Company to restrict its Personal Data processing, in one of the following cases:
• 5.4.1. The User indicates the fact that the Personal Data regarding it is not correct, and the Company may not rectify the Personal Data indicated when it received the information from the User;
• 5.4.2. The User indicates that the processing is illegal, but does not want to erase the data, but only to restrict its processing;
• 5.4.3. The User indicates that it wants its Personal Data to be accessible within the Pago App so that it may use them for protecting / exercising / ascertaining of any right in front of any authority, but it does not want its Personal Data to be processed for other purposes too;
• 5.4.4. The User appeals the legitimate interest of its Personal Data processing (which is processed based on a legitimate interest) by the Company, and the Company may not assess, when receiving the request from the User, insofar as the Company’s legitimate interest prevails over the right exercised by the User.

In case the right to restriction of the processing is applied, the Company will previously inform the User, as the case may be, before the moment when the restriction of the processing will no longer be applicable, the Personal Data following to be processed again.

• 5.5. The right to ask for the Personal Data portability.
  
  The User may ask the Company to send all its Personal Data which the User supplied to the Company (thus, only the Personal Data introduced by the User, directly, in the Pago App, or which refer to its preferences within the Pago App), in a format that allows the User to send these Personal Data to another entity (for example, to another payment services operator), in order to access new services or products. This right may be exercised only as regards the Personal Data processed based on the User’s consent, or for executing the agreement with the User.
• 5.6. The right to oppose
• 5.6.1. The User has the right to oppose to the processing of the Personal Data which are processed based on the legitimate interest of the Company, according to the provisions of this Policy. In this sense, the User may send an e-mail to the Company at the address personaldata@pago.app, or using the section Say your opinion from the Application, mentioning the reason for opposing the processing of the Personal Data regarding it (totally or partially).
• 5.6.2. The Company will answer to the User within 30 days as from receiving the request, indicating to what extent it considers that the Company’s legitimate interest prevails over the reason for opposing indicated by the User.
• 5.6.3. In case the User does not want to receive marketing and/or promotion messages from the Company (insofar as the Company sends such messages to the User), it may express its option at any moment, in an absolute way.
• 5.6.4. In case the exercise of the right by the User is legitimate, the Company will take the necessary steps in orde to cease processing the Personal Data of the respective User.
• 5.7. The User has the possibility to address to the National Supervisory Authority for Personal Data Processing, which is the Garante Privacy (in Italy, http://www.garanteprivacy.it), or with the Data Protection Authority of the EU Member State where he/she normally resides or works, or of the place where the alleged infringement occurred, insofar as it considers itself unjustified by the answer received from the Company / the absence of an answer to its request for exercising one of the rights mentioned in this Policy.
• 5.8. Correspondence
• 5.8.1. In view to exercising the rights provided above, the User may contact the Company at the address personaldata@pago.app, or it may access the section Say your opinion from the Pago App.
• 5.8.2. The Company will analyze each individual request and will communicate with the User in order to comply to its requests in a manner as close as possible to the User’s expectations.
• 5.8.3. The Company will answer to all the requests of the Users within 30 calendar days as from the receipt of the request. Insofar as it is necessary to extend this term, the Company will inform the applicant User about this need, before the expiration of the initial term.
• 5.9. The exercise of the above rights may also be delayed, limited or excluded in the cases provided for in Article 2-undecies of Italian Legislative Decree No. 196/2003.

6. The confidentiality of the Personal Data

• 6.1. The Company uses only the Personal Data it needs in order to offer the Pago App. Insofar as we no longer need to process certain Personal Data, we will waive its processing and we will inform you about these modifications regarding the Personal Data processing.
• 6.2. When processing the Personal Data, the Company offers access only to the employees / collaborators of the Company which need access to certain Personal Data in order to carry out their activity based on the relationship with the Company.
• 6.3. Besides the entities mentioned in this Policy, we will not grant access to the Personal Data to other third entities without previously informing you about such a need.

7. Processing security

• 7.1. The Company is obliged to administer in safe conditions the Personal Data supplied by the Users through the Pago App.
• 7.2. The Personal Data is protected as follows:
• 7.2.1. from the point of view of the possibility to view and access the Personal Data, this is encrypted against any unauthorized access. Thus, the entire transfer of data, including the Personal Data transfer, between the User and the Pago App is encrypted;
• 7.2.2. from the point of view of keeping the Personal Data, this is stored though cloud secured services offered by third parties (Amazon Web Services Inc. and Digital Ocean LLC);
• 7.2.3. all information about the Users’ bank cards used within the Pago App is stored on the server of the payments processor Credorax. The payment information is taken over directly into screens stored on Credorax servers, not being sent back to the User’s terminal or to any other system, including the Company’s systems.
• 7.2.4. all the transactions are authorized and processed by using encrypted identification keys, unique for each card, which are communicated through a secure channel between the Pago App and Credorax. For any information related to any payment processing or transaction performed within the Pago App, we kindly ask you to send us an e-mail at support@pago.app.
• 7.3. The security of the User’s account depends also on the maintenance of the confidentiality of the connecting data on the platform by the User. In this sense, the Company recommends the Users:
• 7.3.1. to use a strong password and to renew it at regulated intervals of time;
• 7.3.2. to avoid the use of the same password for multiple applications;
• 7.3.3. to implement automated systems for debugging and securing the information systems used for accessing the Pago App;
• 7.3.4. to avoid storing the password for the User account in unprotected documents or accessible by third parties;
• 7.3.5. to avoid disclosing the details regarding the password for the User’s account by other persons.
• 7.4. The Company will not be held liable for the User’s negligence or inaction which determine the compromise of the account’s security from the Pago App.

8. About the Site

Within the Site, the Company collects and processes PD which come to its possession in the following situations:

• through the contact form available in the section Contact, in which case there are collected and processed: the name and surname, together with the e-mail address and any other information available within the field Your message. The PD collected in this form are processed based on the legitimate interest of the Company of being able to build a long relationship and a history of the conversions with any person contacting the Company.
• through the contact button, available on each page of the Site, where the messages received are collected and processed with the help of the product Intercom, whose policy on Personal Data processing is available here.

All changes envisaged in this Policy will be announced to you well in advance of the actual entry into force of these changes.

9. Governing law

This Policy is subject to the provisions of Italian Lawand any other mandatory conditions of provisions in force in the European Union, and will be interpreted in accordance with them.