RO EN
POLICY ON PERSONAL DATA PROCESSING
(„The Policy”)
last updated on 20.10.2022

IMPORTANT: When you confirm that you have read and understood this Policy, upon creating your account in the Application, we consider that you understood how your personal data (“ DCP”) are used within the Application. Each time we are required by the applicable law or, otherwise, want to use this legal basis, we will request your free, informed, specific and unequivocal consent for the processing of your DCP. By expressing your consent, you agree that we can collect, use, reveal, process and transfer your DCP in accordance with this Policy.

This Policy is meant to present to you as clear and transparent as possible the way your DCP are processed by us (we, the “Company”, defined below), as a data controller. As such, the Policy shall not apply in relation to any other processing operation regarding the DCP performed by any other natural or legal person, as a data controller, such as, without limitation, the Insurance Broker with which the Company collaborates.

The document is in a continuous change – we recommend you to visit with regularity this document in order to keep yourself updated to its latest version.

In case you have questions about the DCP, please send us an e-mail at datepersonale@pago.ro or, after the creation of the account within the Application, use the section Say your opinion from the Application.

Also, Section 8 below contains information about DCP processing through the sites associated to the names of the domains pago.ro and pagoplateste.ro respectively (the “ Site”, collectively), DCP which are collected and processed when you access the Site.

BRIEFLY
At Pago (the “Application”), we want to offer you (you, the “ User”) the possibility to pay and/or contract as many services as possible from utilities suppliers or other types of services, in one place. In order to achieve this objective, we must access several types of DCP.

This is why, we kindly ask you to read this Policy in order to understand what is the relationship between the DCP belonging to you and the Application, more exactly: who processes these DCP, for what purpose and based on what grounds the processing is made, which are your rights as regards the DCP belonging to you.

What DCP do we refer to? The Application processes the information obtained from you both directly (for example, when you fill in a form or text box within the Application, such as the registration form or the form afferent to the section Say your opinion) and indirectly (following an action you perform in the Application, such as connecting to an electronic account found on the site / in the application of a services supplier).

A part of this information is DCP (meaning information which may identify you or which may lead to your identification). Among these:

  • one category is necessary for the Application to function (for example, the e-mail address is necessary for us to send you the payment confirmations of the invoices by e-mail and, thus, to ensure the predictability of the way the Application works);
  • another category is used based on a legitimate interest of ours (we, the“ Company”, defined below) – for example, the name and forename are processed in order to correlate the invoices afferent to one supplier to the payments made by a User, in case of suspicions of fraud;
  • finally, one last category of DCP is processed with your explicit, prior consent prior to the moment when your consent is necessary. You may find out more details about the processed DCP in Section 3 below.

Who may process your DCP through the Application?
First of all, the entity operating the Application, hereinafter the “Company”: Timesafe SRL, a company registered and functioning in Romania. You may find out more about us and our identification data by accessing the Terms and Conditions of the Application accessible here, by using the section Say your opinion from the Application or by e-mail at support@pagoplateste.ro.

Secondly, in the development and operation of the Application, we use products and services developed and operated by third parties. They may access a part of the DCP offered within the Application and process it according to the purposes indicated by us. All these third parties and their role in the architecture of the Application and of the DCP processing are described in Section 4.1 below.

Thirdly, a meaningful part of the DCP belonging to you is taken over and processed from the services suppliers whose electronic accounts you connect within the Application. You may find out more about the DCP deriving from the accounts of the services suppliers in Section 4.2 below.

Fourthly, when you access the Insurance section from the Application, the DCP belonging to you and requested in the respective situation, are processed by the Insurance Broker with which the Company collaborates. You may find out more about the DCP processed in this situation in Section 3.3 below.

Fifthly, if you choose to connect your Pago App account with the BT Pay App account, your DCP which are stored in your User account, will be transferred to Banca Transilvania SA, who will process them pursuant to Banca Transilvania’s privacy policy available here

Sixthly, if you wish to receive notifications sent by email by CNAIR, in connection to the expiry of the validity period of part of the Services, your DCP will be sent to CNAIR, who will process them in accordance with its data privacy policy.

All DCP belonging to you are processed by third parties who either are and process the DCP on the territory of the European Union, or they process this DCP according to the provisions of the European Union law. Thus, we want to collaborate only with the entities processing the DCP by means of systems found on the territory of the European Union and to use DCP storage services which offer us the possibility to store it on the territory of the European Union or according to the regulations of the European Union.

You have several rights as regards the DCP, which we are open to help you exercise. You may find out more about these rights in section 5 of this Policy.

Should you have questions or need clarifications with regard to the content of this Policy,, you may contact us at datepersonale@pago.ro or you may use the section Say your opinion from the Application.

This Policy is completed with the terms and conditions for use of the Pago App, available for consultation here.

1. Details about the controller

Timesafe SRL, a Romanian legal entity, with headquarters in Voluntari, Ilfov county 87-2F Erou Iancu Nicolae Road, registered with the Trade Registry under no. J23/1658/2016, UIC 35968582 (hereinafter referred to as the "Company"), titular of all the rights over the Pago App (as these terms are defined below), observes the private character and the security of personal data processing of each user of this application, having the quality of personal data controller, according to the provisions of European Union General Regulation on Personal Data Processing no. 2016/679 (“ GDPR”).

2. Definitions

In this document, the words used in capitals will have the following meanings:

  • a) "The Pago App" or the “Application” means the software application, over which the company is the exclusive titular of rights, whereby the Users (as defined below) may make electronic payments online, to various suppliers of services, accesible for being downloaded by the Users on their mobile phones, through Apple App Store and Google Play, directly, or, indirectly, through the Site, by redirecting. For the purpose of these terms, this defition will be used irrespective of the modality of accesing the Pago App (through the Site or with the help of the mobile phone, directly from Apple App Store or Google Play);
  • b) "Pago-Samsung App" means the software application, over which the Company (as defined below) is the holder of rights, whereby the Users (as defined below) may connect to the Pago App and may make electronic payments online, to various suppliers of services, accessible for being downloaded by the Users on their Samsung smart TVs, through Samsung Tyzen Store. Under this Policy, through the Pago-Samsung App, no other DCP is processed other than those processed through the Pago App. Also, the effects of DCP processing through the Pago App, as described in this Policy, may reflect on the use experience in the Pago-Samsung App.
  • c) "CNAIR" means the National Company for the Road Infrastructure Administration, headquartered in Bucharest, 1st district, 38 Dinicu Golescu St., having registration number J40/552/2004 and sole identification number 16054368, tel. 021.264.32.47; since these pieces of data can change in time, we recommend you visit CNAIR’s website at http://www.cnadnr.ro/ for more information and to make sure you have updated identification and contact data of CNAIR;
  • d) "Account on Third Site" means the Users’ accounts and the information found on other websites or other applications belonging to the Agreed Suppliers or to the BT Pay Application (as defined below), besides the Pago App, over which the Company has no right and for whose functioning the Company may not be liable. Insofar as the Application may not connect by an Account from a Third Site, we recommend you to verify if the Third Site presents connection problems before contacting the Company in view to remedy the issue;
  • e) "Personal Data" or “DCP” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, according to the definition from the (“GDPR”);
  • f) "Agreed Supplier" means the legal entity included in the Pago App to which the Users may make payments through the functions of the Pago App. The Agreed Suppliers are uploaded in the Application insofar as the Company or any of its collaborators has a contractual relationship with them in this sense;
  • g) "BT Pay Application" means the mobile application accessible for being downloaded by the Users on their mobile phones, through Apple App Store and Google Play, operated and, unless otherwise indicated, owned exclusively by Banca Transilvania S.A., a Romanian financial institution, with its headquarters at 8, George Baritiu, Cluj-Napoca, registered with the Trade Register under no. J12/4155/1993, and having unique tax code no. RO 502267, which may be integrated with the Pago App in order to offer Users the possibility of accessing Our services without accessing the Pago App.
  • h) "Services" means the payment services of the invoices, charges, insurances, as well as any other type of payment offered to the User for free through the Pago App;
  • i) "User" means any natural person, over 18 years’ old who registers and uses the Pago App, accepting these terms. For the avoidance of any doubt, the Pago App is not meant for the use by natural persons who do not meet the conditions described in this definition and, explicitely, is not meant to use by the minors (in the sense of the legislation applicable to a certain user);
  • j) "Donate with Pago" is the Company's campaign through which Pago App Users and Site users have the possibility to make donations to certain Non-Governmental Organizations (as defined below);
  • k) "Non-Governmental Organization" is a non-profit non-governmental organization such as an association, foundation or federation selected to participate in the Donate with Pago campaign in accordance with the Regulation available here.
  • l)“Ghiseul.ro" is a platform managed by Agentia pentru Agenda Digitata a Romaniei (a specialized public institution of the central public administration, with legal person status, under the management of the Ministry of Communications and Information Society) through which users can pay taxes as levied by public institions enrolled in the platform as well as conventional fines.

3. The processed Personal Data and the purposes of processing

For and in relation with the operation of the Pago App, the Personal Data are processed based on several legal grounds and for several purposes:

  • 3.1. On the basis of the Company’s legitimate interest to provide our services and to improve our services (art. 6, para. 1, let. f of GDPR – legitimate interest), we process the following Personal Data, which we obtain either from the Account on Third Sites, the BT Pay App or with the help of the technical capacities of the products mentioned at Section 4.1:
  • 3.1.1 name and surname (in order to validate that a payment is made only by a certain person and to minimize the possibility that fictive persons register their accounts within the Application);
  • 3.1.2. depending on the type of Agreed Supplier, the phone number and the address afferent to any contract between the User and any Agreed Supplier, if they are displayed in any invoice (in order to validate the performance of any payment by the titular / by the representative of the titular of the ownership / use / access right over the objective found at the address indicated in an invoice, and in order to notice the App’s coverage in the territory);
  • 3.1.3. any other information available in any invoice (in order to give the User the possibility to see all the details afferent to the invoices correlated to the Agreed Suppliers at any moment, within the Pago App);
  • 3.1.4. the type of consumption place afferent to the Agreed Supplier which is configured within the Pago App (respectively, the parents’ home, holiday home, domicile), in order to make easy for the User to exactly identify the amount to be paid afferent to a certain consumption place); Also, this information might be used to define the strategies for online marketing.
  • 3.1.5. information about the number of accessing the Pago App, the last accessing by a certain User (in order to understand how and how often the Pago App is used);
  • 3.1.6. Information about the town the User comes from, the devices used for accessing the Application and its operating system (in order to create statistics regarding the use of the Pago App and to define strategies for online marketing campaigns in certain geographical areas); all these details are supplied following the integration of Intercom product within the Application, about which you may find out more details in the Section 4.1.2 below.
  • 3.2. Based on the need to deliver a service to the Users, respectively to make the Application functional (art. 6, para. 1, let. b of GDPR – performance of a contract), we process the following Personal Data:
  • 3.2.1. the e-mail address (in order to be able to validate the creation of an account, to send notifications and other information to the User about its activity in the Pago App – for example, payment confirmations and, also, to be able to integrate our Services with the BT Pay App);
  • 3.2.2. bank card data (in order to allow the performance of payments through the Pago App); such data is processed by third parties, according to the information from Section 7.2.4 below, the company storing this data only for the purpose of displaying them in the Pago App, insofar as the User chooses its data to be upheld in order to facilitate the subsequent payment processes; In this latter case, the Company will save only the card tag (as is has been save by the User) and the specific token issued by the Payment Processor.
  • 3.2.3. the user name and password afferent to the electronic payment services available on the sites / in the mobile application of the Agreed Suppliers (in order to be able to display the amounts to be paid afferent to the invoices available in the Accounts of Third Parties, and also the history of the payments made by the User and the invoices available in these Accounts on Third Sites); For clarity, the Company processes only the information mentioned in this section from the Accounts of Third Parties.
  • 3.2.4. the amount to be paid, the suppliers of the services for which the amounts to be paid are owed indicated in the invoices and the client codes afferent to the systems of the Agreed Suppliers (in order to show this information in the Pago App and correlate the payments with the Agreed Suppliers to whom the payments are owed);
  • 3.2.5. the payment date and hour afferent to the invoice (in order to communicate to the Agreed Supplier the moment when a certain payment was made and, as such, to confirm to the User that a payment was made before the due date afferent to the invoice, insofar as these details are asked by the User);
  • 3.3. DCP for Insurances, Vignette, and Passages
  • Insurances

    At the same time, as regards the DCP requested from the User in the Insurance section from the Application, based on which one may display the insurance offers and, also, the afferent RCA agreement may be signed, or a travel insurance might be concluded, they are processed by the Insurance Broker with which the Company collaborates, which acts as a data controller. You may find out more details about the data processing by the Insurance Broker by accessing the Terms and Conditions for use from the section Insurances, available here.

    Also, insofar as the User wants to find out more details about the Personal Data held by the Insurance Broker about the User, it may contact the Insurance Broker by using its contact data indicated in the Terms and Conditions for use from the section Insurances.

    At the same time, we recommend the consultation of the policy regarding the Personal Data processing of the Insurance Broker.

    However, also the Company will process part of the DCP, as a data controller. In this situation, the Company will process the phone number, for the purpose of sending notices to the User regarding usefull information in relation to the conluded insurance policies. The legal ground for this processing is the User’s consent.

  • Vignette and Passages

    As regards the DCP processed for paying a Vignette or a Passage fee, they are sent by the Company to CNAIR, which acts as a data controller (they are sent in order to issue the Vignette and to pay the Pssage fee). We recommend to read the policy regarding the Personal Data processing of CNAIR. The legal ground for this processing is the performance of an agreement.

    If the User consents to receive notifications regarding the expiration of the Vignette, the Company will send the email address to CNAIR, which will notify the User by email. Also, the Company will notify the User about the expiration of the Vignette. The legal ground for this processing acitivities is the User’s consent.

  • 3.4. With regard to processing of DCP in the context of the Donate with Pago campaign, the Company performs the following processing operations the:

  • 3.4.1. In case of Users who donate to a Non-Governmental Organization, we will process the following DCP, based on the need to deliver a service to the Users (art. 6, parag. 1, let. c) of GDPR - performance of a contract)
  • 3.4.1.1. first name, last name, e-mail address, amount donated (in order to to make the donation); also, based on the User's consent, we will transfer this data to the Non-Governmental Organization.
  • 3.4.1.2. the card details of the User (to enable a donation to be made through the Pago App); this data shall be processed in accordance with sections 3.2.2 above and 7.2.4 below.
  • 3.4.1.3. the amount donated by the User and donation details (to display this information in the Pago App);
  • 3.4.1.4. first name, last name, e-mail address of the User and location (so that we can send news about the Non-Governmental Organizations and about Donate with Pago); this data are processed based on the User’s consent.
  • 3.4.2. In case of the Site users donating to a Non-governmental Organization or voting a Non-Governmental organization, we will process the following DCPs - based on the need to deliver a service to our users (art. 6, parag. 1, let. c) of GDPR - performance of a contract):
  • 3.4.2.1 the IP address of the Site user and the Non-governmental Organization which was voted (to give the user the possibility to vote the Non-Governmental Organization that can take part in our campaign); Although the IP address is not collected for the purpose of identifying a person, if it could lead to the identification of an individual, this Policy becomes applicable.
  • 3.4.2.2 first name, last name and e-mail address of the Site user and the amount donated (to be able to send confirmation of donation); also, based on the Site user's consent, we will transfer this data to the Non- Governmental Organization;
  • 3.4.2.3 the card details of the Site user (in order to be able to make a donation through the Site); this data shall be processed in accordance with sections 3.2.2 above and 7.2.4 below.
  • 3.4.2.4 first name, last name, e-mail address of the Site user and location (so that we can send news about the Non-Governmental Organizations and about Donate with Pago); this data are processed based on the user’s consent.
  • 3.4.3 In case of the contact persons representing a Non-Governmental Organization, we will process the following DCP, based on the need to provide a service (art. 6, parag. 1, let. c) of GDPR - performance of a contract):
  • 3.4.3.1 first name, last name, e-mail address, phone number filled in the registration form (to register the Non-Guvernmental Organization in the campaign);
  • 3.4.3.2 first name, last name, e-mail address, phone number (in order to communicate during the Non-Governmental Organization selection process, and during the Donate with Pago campaign). We may also process this DCP on our legitimate interest in ensuring the conduct of the Donate with Pago campaign (art. 6, para. 1, let. f) of GDPR - legitimate interest);
  • 3.4.3.3 email address (to send confirmations regarding the donations received by the Non-Governmental Organization);
  • 3.4.4 The processing operations mentioned in this section 3.4. are performed as of the date of availability of Donate with Pago feature and as of the date of starting the campaign for selecting the Non- Governmental Organizations.
  • 3.5. With regards to processing DCP to be used for the taxes section, the Company will process the following DCP with consent from the User (art. 6, para 1, letter a from GDPR – the consent of the owner):

  • 3.5.1. surname, name and CNP (Personal Numeric Code) for the use of the Ghiseul.ro section
  • 3.5.2. DCP contained in the payment confirmation (taxpayer name, taxpayer CNP as well as any other information mentioned in the confirmation regarding the payment date and the beneficiary institution, such as name and CUI of the beneficiary institution, number of the confirmation, date and time of the payment, details about the payment, beneficiary fiscal unit, due date, value paid, IBAN account of the beneficiary) as received from Ghiseul.ro (in order to display this information in Pago App and as proof of the effect of using the Ghiseul.ro section.
  • 3.5.3. username and password of the Ghiseul.ro account (for downloading the payment history and payment confirmations)

4. Additional information

  • 4.1. Company’s processors
    The Personal Data processed through the Application is made available to the following third entities, whose products / services are necessary for the Application’s development and operation:
  • 4.1.1. Google Ireland Limited, for the product Firebase by Google, used for the development in a centralized and safe environment of the Pago App, and for the product Fabric, used to study the good functioning of the Pago App;
    The Policy regarding the personal data processing by Firebase by Google is accessible here, and that by Fabric is accessible here.
  • 4.1.2. Intercom R&D Unlimited Company, for the product Intercom, used for managing the User’s Personal Data and interacting with the Users directly from the Application;
    The Policy regarding the personal data processing by Intercom is accessible here.
  • 4.1.3. Solarwinds Worldwide LLC, for the product Loggly, used for being able to view the accessing of the Pago App and the actions performed within the Pago App;
    The Policy regarding the personal data processing by Loggly is accessible here.
  • 4.1.4. Google LLC, for the product Google Analytics, used for analyzing the users activity on the website pagoplateste.ro / pago.ro;
    The Policy regarding the personal data processing by Google Analytics is accessible here.
  • 4.1.5. HotJar Ltd, for the product HotJar, used for analyzing the users’ activity on the website pagoplateste.ro / pago.ro;
    The Policy regarding the personal data processing by HotJar is accessible here.
  • 4.1.6. Amazon Web Services, Inc., for the product Amazon Relational Database Services, used for storing all the data generated by the Pago App;
    The Policy regarding the personal data processing by Amazon Relational Database Services is accessible here.
  • 4.1.7. Digital Ocean, LLC, for the products Spaces and Tools and Integrations, used as an environment for developing the Pago App;
    The Policy regarding the personal data processing by Digital Ocean is accessible here.
  • 4.1.8.MixPanel, Inc., whose products are used in order to analyze the users’ activity within the Application, Android version;
    The Policy regarding the personal data processing by MixPanel is accessible here.

When choosing these entities, the Company takes into consideration the observance by them of the provisions applicable in the matter of Personal Data processing. Insofar as the Company decides to add or to replace these entities, you will be notified in advance, having the possibility to refuse any further use of the Pago App should you consider that the Personal Data processing by another entity is not favorable to you.

  • 4.2. About the Agreed Suppliers
  • 4.2.1. In order to offer the services within the Pago App, the company concludes agreements with various Agreed Suppliers, based on which the latters have the possibility to collect the payments afferent to invoices or other chargings through the Pago App.
  • 4.2.2. These Agreed Suppliers are those establishing the purpose for the Users’ Personal Data processing, respectively, in the case of the Pago App, for processing the payments afferent to the invoices issued by these Agreed Suppliers.
  • 4.2.3. Insofar as the User wants to find out more details about the Personal Data held by the Agreed Supplier about the User, it may contact the Agreed Supplier by using the contact data indicated in the Pago App, or the contact data supplied by the Agreed Supplier when the User become client of this Agreed Supplier.
  • 4.2.4. At the same time, we recommend the consultation of the policies regarding the Personal Data processing which each Agreed Supplier makes available for consultation on the official site or at the nearest registered office / subsidiary / branch / working point.
  • 4.3. The term of Personal Data processing
  • 4.3.1. The Personal Data supplied by the Users will be processed by the Company in electronic format, during the entire period when the natural person supplying the Personal Data has the quality of a User, as well as for a period of one year after the termination of this quality.
  • 4.3.2. The Personal Data is kept after the period when the natural person is a User of the Pago App, in order to study to what extent certain activities of the Company determine the reinstalment of the Application by the previous Users. Anyway, after deleting the User’s account from the Application and the elapse of the term indicated above at point 4.3.1, the User’s Personal Data will be used only for statistic and analysis purposes, in order to present in various public contexts, relevant information about the number of historical users of the Application and abut their activities in the Application.
  • 4.3.3. As regards the DCP processed in relation to Donate with Pago, the storage duration differs depending on the context of the processing. We store the DCP strict for the period necessary to fulfill the purposes for which DCP were collected. As a rule, the DCP processed in the context of campaign and the selection of Non-Governmental Organisations will be stored for a duration of 2 years, the DCP processed in the context of the donation will be stored for 5 years, the DCP processed in order to send marketing messages will be processed as long as you do not withdraw your consent. For more information regarding the storage duration, please contact us at datepersonale@pago.ro.
  • 4.3.4. With regards to DCP processed in the context of the Ghiseul.ro section, as a rule, DCP will be processed as long as the User has an account in Pago App and is using the Ghiseul.ro section. Despite this, DCP will be processed only as long as the User does not revoke their consent. For more details regarding the duration of the processing period, please contact us on datepersonale@pago.ro.
  • 4.3.5. Regarding DPCs processed by virtue of the integration with the BT Pay App, DCPs shall be processed as long as both accounts in the BT Pay Application and Pago Application are active. Deleting the Pago App account has no effect on the DCPs which were previously transferred to the BT Pay Application.
  • 4.3.6. Regarding DCP processed for paying the Vignete and the Passage fee, DCP shall be processed during their validity period.
  • 4.4. Integration with the BT Pay Application
  • In order to provide the Services through the BT Pay Application, the Company makes available all personal data provided by the User within the Pago application to the following third party: Banca Transilvania SA, a credit institution established in Romania, with its registered office in Cluj-Napoca, George Baritiu street no. 8, Cluj county, registered at the Trade Register under no. J12 / 4155/1993, unique code RO 502267.
  • The DCP that will be transferred to BT Pay include your e-mail address, the unique User code automatically generated by the Pago App, your Agreed Suppliers and your payment history.
  • The processing of the personal data by Banca Transilvania S.A. is governed by the Privacy policy available here

5. Users’ rights

The Users beneficiate from the following rights in relation with the Personal Data belonging to them, which they may exercise by using the section Say your opinion from the Pago App or by sending an e-mail to datepersonale@pago.ro:

  • 5.1. The right to access the Personal Data
  • 5.1.1. Any User may ask the Company, for free, by a request once per 6 months, the confirmation of the fact that there are Personal Data about the User processed or not by the Company. If yes, the Company must inform the User about: the purposes of the processing; the categories of data which are processed and, insofar as these Personal Data are not current / updated / relevant, the right to ask for the rectification, erasure or restriction of such Personal Data proccessing, or the right to oppose the Personal Data processing; the natural persons / legal entities with acces to the Personal Data; the storage term of the Personal Data; the right to submit a complaint with the National Supervisory Authority for Personal Data Processing, insofar as the User considers that it cannot exercise its rights in relation with the Controller.
  • 5.1.2. The Company will charge a tax for supplying this information, insofar as the requests made by a User are more frequent than once per 6 months, a tax which will be communicated to the User when it makes a new request within the mentioned term, having the same object.
  • 5.2. The right to rectify the Personal Data
    Any User may ask the Company, for free, to rectify the inexact Personal Data regarding it. If it deems necessary, after the Company’s answer, the User may ask for its Personal Data to be completed, and the Company may either make the necessary modifications into User’s account from the Pago App, or indicate to the User the steps whereby it may make this rectification itself.
  • 5.3. The right to erase the Personal Data
  • 5.3.1. The User may ask the Company to erase the Personal Data regarding it, following that the Company complies with this request in the following situations:
  • 5.3.1.1. In case the Personal Data whose erasure is asked for are no longer necessary to the Company for fulfilling the purposes for which they were collected or processed. In this sense, the Company will send an answer to the User, explaining the necessity to process the respective Personal Data reported to the purposes of the processing, but also the consequences of its erasure. Insofar as the User considers that this processing no longer complies with the purposes indicated by the Company, it may hold on positions as regards the erasure of the Personal Data, assuming also the liability for any effects related to the use of the Application following the erasure of these Personal Data;
  • 5.3.1.2. Should the User withdraw its consent for the Personal Data processing, if the respective Personal Data are processed based on the User’s consent, as legal grounds (you may find more details about the grounds based on which we process the Personal Data in Section 3 above);
  • 5.3.1.3. If the User opposes the processing of the Personal Data, according to the provisions of this Policy; the company will send an answer to the User, indicating the extent to which there are legitimate reasons for further processing the Personal Data. In the situation when the Company sends a newsletter to the Users or other commercial communication means, the User will have at any time and irrespective of the reason, the possibility to choose not to receive such communications anymore;
  • 5.3.1.4. If the User considers that the Processing of the Personal Data was illegal; The Company will send an answer to the User, explaining the extent to which there are legal grounds for processing the Personal Data; Insofar as the User considers that this processing no longer complies with the purposes indicated by the Company, it may hold on positions as regards the erasure of the Personal Data, assuming also the liability for any effects related to the use of the Application following the erasure of these Personal Data;
  • 5.3.2. The Company may refuse to comply with the User’s request if the Personal Data whose erasure is requested may not be erased due to any legal obligations regarding the Company’s activity (in this case the Company will indicate to the User the grounds of this legal obligation), or due to storage or statistic reasons (in this case the Company will indicate to the User the measures it may take in order to make sure that the User’s Personal Data are processed in a safe manner and, at the same time, that the processing takes place only for giving aggregate information about the User’s conduct in relation with the Pago App).
  • 5.4. The right to restrict the Personal Data processing
    The User has the right to ask the Company to restrict its Personal Data processing, in one of the following cases:
  • 5.4.1. The User indicates the fact that the Personal Data regarding it is not correct, and the Company may not rectify the Personal Data indicated when it received the information from the User;
  • 5.4.2. The User indicates that the processing is illegal, but does not want to erase the data, but only to restrict its processing;
  • 5.4.3. The User indicates that it wants its Personal Data to be accessible within the Pago App so that it may use them for protecting / exercising / ascertaining of any right in front of any authority, but it does not want its Personal Data to be processed for other purposes too;
  • 5.4.4. The User appeals the legitimate interest of its Personal Data processing (which is processed based on a legitimate interest) by the Company, and the Company may not assess, when receiving the request from the User, insofar as the Company’s legitimate interest prevails over the right exercised by the User.

In case the right to restriction of the processing is applied, the Company will previously inform the User, as the case may be, before the moment when the restriction of the processing will no longer be applicable, the Personal Data following to be processed again.

  • 5.5. The right to ask for the Personal Data portability.

The User may ask the Company to send all its Personal Data which the User supplied to the Company (thus, only the Personal Data introduced by the User, directly, in the Pago App, or which refer to its preferences within the Pago App), in a format that allows the User to send these Personal Data to another entity (for example, to another payment services operator), in order to access new services or products. This right may be exercised only as regards the Personal Data processed based on the User’s consent, or for executing the agreement with the User.

  • 5.6. The right to opose
  • 5.6.1. The User has the right to oppose to the processing of the Personal Data which are processed based on the legitimate interest of the Company, according to the provisions of this Policy. In this sense, the User may send an e-mail to the Company at the address datepersonale@pago.ro, or using the section Say your opinion from the Application, mentioning the reason for opposing the processing of the Personal Data regarding it (totally or partially).
  • 5.6.2. The Company will answer to the User within 30 days as from receiving the request, indicating to what extent it considers that the Company’s legitimate interest prevails over the reason for opposing indicated by the User.
  • 5.6.3. In case the User does not want to receive marketing and/or promotion messages from the Company (insofar as the Company sends such messages to the User), it may express its option at any moment, in an absolute way.
  • 5.6.4. In case the exercise of the right by the User is legitimate, the Company will take the necessary steps in orde to cease processing the Personal Data of the respective User.
  • 5.7. The User has the possibility to address to the National Supervisory Authority for Personal Data Processing insofar as it considers itself unjustified by the answer received from the Company / the absence of an answer to its request for exercising one of the rights mentioned in this Policy.
  • 5.8. Correspondence
  • 5.8.1. In view to exercising the rights provided above, the User may contact the Company at the address datepersonale@pago.ro, or it may access the section Say your opinion from the Pago App.
  • 5.8.2. The Company will analyze each individual request and will communicate with the User in order to comply to its requests in a manner as close as possible to the User’s expectations.
  • 5.8.3. The Company will answer to all the requests of the Users within 30 calendar days as from the receipt of the request. Insofar as it is necessary to extend this term, the Company will inform the applicant User about this need, before the expiration of the initial term.

6. The confidentiality of the Personal Data

  • 6.1. The Company uses only the Personal Data it needs in order to offer the Pago App. Insofar as we no longer need to process certain Personal Data, we will waive its processing and we will inform you about these modifications regarding the Personal Data processing.
  • 6.2. When processing the Personal Data, the Company offers access only to the employees / collaborators of the Company which need access to certain Personal Data in order to carry out their activity based on the relationship with the Company.
  • 6.3. Besides the entities mentioned in this Policy, we will not grant access to the Personal Data to other third entities without previously informing you about this aspect.

7. Processing security

  • 7.1. The Company is obliged to administer in safe conditions the Personal Data supplied by the Users through the Pago App.
  • 7.2. The Personal Data is protected as follows:
  • 7.2.1. from the point of view of the possibility to view and access the Personal Data, this is encrypted against any unauthorized access. Thus, the entire transfer of data, including the Personal Data transfer, between the User and the Pago App is encrypted;
  • 7.2.2. from the point of view of keeping the Personal Data, this is stored though cloud secured services offered by third parties (Amazon Web Services Inc. and Digital Ocean LLC);
  • 7.2.3. all information about the Users’ bank cards used within the Pago App is stored on the server of the payments processor Romcard, the biggest and experimented processor of online and offline card payments in Romania. The payment information is taken over directly into screens stored on Romcard servers, not being sent back to the User’s terminal or to any other system, including the Company’s systems.
  • 7.2.4. all the transactions are authorized and processed by using encrypted identification keys, unique for each card, which are communicated thorugh a secure chennel between the Pago App and Romcard. For any information related to any payment processing or transaction performed within the Pago App, we kindly ask you to send us an e-mail at support@pagoplateste.ro.
  • 7.3. The security of the User’s account depends also on the maintenance of the confidentiality of the connecting data on the platform by the User. In this sense, the Company recommends the Users:
  • 7.3.1. to use a strong password and to renew it at regulated intervals of time;
  • 7.3.2. to avoid the use of the same password for multiple applications;
  • 7.3.3. to implement automated systems for debugging and securing the information systems used for accessing the Pago App;
  • 7.3.4. to avoid storing the password for the User account in unprotected documents or accessible by third parties;
  • 7.3.5. to avoid disclosing the details regarding the password for the User’s account by other persons.
  • 7.4. The Company will not be held liable for the User’s negligence or inaction which determine the compromise of the account’s security from the Pago App.

8. About the Site

Within the Site, the Company collects and processes DCP which come to its possession in the following situations:

  • through the contact form available in the section Contact, in which case there are collected and processed: the name and surename, together with the e-mail address and any other information available within the field Your message. The DCP collected in this form are processed based on the legitimate interest of the Company of being able to build a long relationship and a history of the conversions with any person contacting the Company.
  • through the contact button, available on each page of the Site, where the messages received are collected and processed with the help of the product Intercom, whose policy on Personal Data processing is available here.

Any significant modification of this Policy will be notified to the Users, insofar as such a request is provided by the applicable legislation in force.