Privacy Notice
Updated: December 2024
Welcome to Payhound's privacy notice (the "Privacy Notice").
Payhound Limited ("Payhound"; "we"; "us"; "our"), respects your privacy and values its importance, and is committed to protecting your personal data. The purpose of this Privacy Notice is to set out the basis on which we will process your personal data when:
- You approach us to provide you with our cryptocurrency payment processing services, cryptocurrency sale and purchase services and/or cryptocurrency wallet services (the "Services");
- you receive the requested Services;
- you make use of the services provided by some of our customers/merchants; and/or;
- you visit and use our website www.payhound.com (the "Website"), regardless of where you visit and use it from.
We process your personal data in an appropriate and lawful manner, in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR") and the Data Protection Act (Chapter 586 of the Laws of Malta), as may be amended or replaced from time to time (the "Act") (together, the GDPR and the Act shall be referred to as the "Data Protection Laws").
This Privacy Notice details what personal data we may collect about you and the manner in which we handle it, our obligations to process your personal data responsibly, your data protection rights as a data subject and how the Data Protection Laws protect you.
1. IMPORTANT INFORMATION AND WHO WE ARE
This Privacy Notice is aimed to ensure you are fully informed on how we will collect and process your personal data.
It is important that you read this Privacy Notice together with any other privacy and/or fair processing notice we may provide from time to time when collecting your personal data so that you are fully aware of the manners in which we use and safeguard your personal data.
The Website and the Services are not intended for minors below the age of 18 years. We do not knowingly collect data relating to minors. If we become aware that we have unintentionally collected the information of a minor, we will take all the appropriate measures to safely delete this information.
I. CONTROLLER
As a data controller, we are responsible for the Website. We are also the data controller for any personal data which we collect or receive and which we process in connection with the Services and/or the Website.
Payhound has a dedicated data protection contact who is responsible for overseeing queries in relation to this Privacy Notice and for handling any data subject requests. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our team. Our full details are as follows.
OUR CONTACT DETAILS|
Name of the company: |
Payhound Limited |
|
Postal address: |
Level 0A, Centris Business Gateway II, Triq is-Salib tal-Imriehel, Zone 3 Central Business District, CBD 3020, Birkirkara, Malta |
|
Email address: |
[email protected] |
II. CHANGES TO OUR PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES TO YOUR PERSONAL DATA
This Privacy Notice was last updated: December 2024.
We may update this Privacy Notice from time to time. Any changes to our Privacy Notice will become effective upon the publishing of the revised Privacy Notice on the Website. The use of this Website following such changes constitutes your awareness and acknowledgement of the revised Privacy Notice then in effect. Please refer to this page every so often to ensure that you keep yourself informed of any updates to our Privacy Notice.
It is important that the personal data we hold about you is accurate and current at all times, and this in particular if you are making use of any of our Services. Otherwise, this will impair our ability to provide you with the requested Services (amongst other potential and salient issues). Please keep us informed if your personal data changes during the course of our engagement and professional relationship with you so that we can update our records accordingly.
III. THIRD PARTY SITES
This Website may, from time to time, include links to third party websites, plug-ins and applications. Clicking those links may permit third parties to collect or share data about you. We do not control these third party sites and are not responsible for their privacy notices, policies or statements. Please read the privacy notice of every third party site you visit or use to ensure that you are fully informed of their data processing practices.
IV. THE TRAVEL RULE REGULATION
As from 30 December 2024, Payhound is required, as part of its obligations in its role as crypto-asset service provider (“CASP”) under Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets (the "Travel Rule Regulation") to collect, process, verify and hold information (the “Travel Rule Data”) which may consist in personal data in terms of the Data Protection Laws about the originator (sender) and the beneficiary (recipient) of transactions involving crypto-assets for the purposes of the prevention of money laundering and terrorist financing. Payhound may also be required to share such information, which may include personal data, with other counter-party CASPs before or during such a transaction. The originator and the beneficiary of such transactions may be customers of our merchants and/or individual shareholders, company officers and/or executives of legal persons that are customers of Payhound’s merchants. We will provide more information about the collection, purposes and legal grounds for processing of the Travel Rule Data in line with our obligations under the Travel Rule Regulation further below in this Privacy Notice.
2. PERSONAL DATA COLLECTION
Personal data means any information on or about an individual from which that individual can be identified. It does not include data where the identification element has been removed (such as when personal data is rendered anonymous).
Personal data does not include information relating to a legal person. In this regard, information such as a company name, its company number, registered address and VAT number does not amount to personal data in terms of the Data Protection Laws. Therefore, the collection and use of information strictly pertaining to a legal person does not give rise to data controller obligations at law. We will still naturally treat any and all such information in a confidential manner.
I. WHOSE PERSONAL DATA WE COLLECT
This Privacy Notice is intended to govern the collection of the personal data pertaining to the below individuals:
- Website visitors: individuals visiting our Website;
- Visitors at our premises: individuals visiting our premises for any reason, inclusive of meetings, scheduled maintenance and, or the provision of services;
- Third parties generally: this is a generic category of data subjects that typically includes individuals with whom we do not have a direct contractual relationship, such as prospective individual service providers and/or persons contacting Payhound with enquiries or for any other reason;
- Prospective merchants: individuals who have expressed an interest in engaging our Services;
- Individual shareholders, company officers and/or executives of prospective merchants: individuals who are generally owners and/or legal and judicial representatives of a prospective merchant when the latter is a legal person;
- Customers and/or suppliers of our merchants: individuals being customers and/or suppliers of our merchants, through whom they make use of the Services;
- Individual shareholders, company officers and/or executives of legal persons that are customers and/or suppliers of our merchants: individuals who are generally owners and/or legal and judicial representatives of legal persons, the latter being customers and/or suppliers of our merchants, through whom such legal persons make use of the Services.
If you provide us with personal data about someone else, such as about your customers and/or suppliers, it is your responsibility to ensure that you are entitled to disclose that personal data to us, that such personal data is correct, and that we are immediately informed of any changes to such personal data so that we can keep our records updated at all times in line with the Data Protection Laws. You must also ascertain that the data subjects of such personal data comprehend how their personal data will be used and processed by us and our outsourced service providers, and this in accordance with this Privacy Notice. For such purpose, you shall therefore ensure to bring our Privacy Notice to the attention of such third parties before that you share any of their personal data with us.
II. DATA WE COLLECT ABOUT YOU
When processing personal data pertaining to you, we may, depending on the case at hand, collect, use, store and, or transfer different kinds of personal data about you which we have grouped together as follows:
- Identification Data: includes name, surname, title, date and place of birth, username or similar identifier (with regards to the Website), identification documents and details, such as identity card and passport information. We may also request additional information in order to evidence your identity such as, but not exclusively, electronic signatures, particularly if we are required by law to do so.
- Contact Data: includes postal address, email address and telephone and/or mobile number.
- Compliance Data (Anti-Money Laundering ("AML"), Combatting Funding of Terrorism ("CFT") and Know-Your-Client ("KYC")): includes Identification Data and Contact Data, and shall also cover, as necessary, proof of residence, such as a utility bill, professional references, tax domicile information, financial status information, such as bank statements, source of wealth and source of funds, KYC (database) checks and any other information or documentation which may be required from time to time by the applicable rules and regulations. In carrying out its KYC checks, Payhound may also come across criminal record and conviction information, which it shall only process in strict accordance with the law. We may also request additional information in order to, but not exclusively, verify the ownership of self-hosted wallets, assess associated risks and implement risk mitigation measures, and this to ensure that we are in compliance with our AML, CFT and KYC obligations under all applicable laws including the Travel Rule Regulation.
- Financial Data: includes bank account and e-wallet details, as well as any relevant taxation data (this includes any applicable income tax / VAT information).
- Investment Data: includes information about your investment objectives, experience as well as prior investments.
- Transactional Data: includes information about the transactions carried out by end users of our customers on or via our electronic platform.
- Travel Rule Data: includes Identification Data, Contact Data, Compliance Data, Financial Data, Transactional Data, distributed ledger address and/or crypto-asset account number of the originator/beneficiary, or unique transaction identifier for instances where the distributed ledger address and/or crypto-asset account number are not available, customer identification number that uniquely identifies the originator, legal entity identifier (when provided) or any other available equivalent official identifier of the originator/beneficiary.
- Cookie Data: includes information collected via cookies used on our Website, as better explained in our Cookie Notice.
In all cases, we may request additional and proportionate information if and when we deem such to be necessary, particularly but not exclusively if we are required by law to do so.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data at law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Cookie Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.
We do not collect any sensitive personal data, such us ethnic origin, religious beliefs, or sexual orientation, about you.
If you fail to provide personal dataWhere we need to collect personal data by law, or pursuant to provision of our Services, and you fail to provide that data when requested, we may not be able to provide you with the requested Services. In certain cases, particularly where it relates to Compliance Data and/or Travel Rule Data, we may even need to exercise our prerogative to suspend and/or terminate our provision of the Services to you, or otherwise decline to enter into any other professional relationship with you (as applicable). We will notify you if this is the case at the time.
III. HOW DO WE COLLECT YOUR PERSONAL DATA?
We use different methods to collect your personal data. Any personal data collected is a result of, and relates to, your relationship with us. We will collect personal data as follows:
Website visitors: we may collect Identification Data and/or Contact Data as submitted to us by yourself if you decide to utilise the 'Contact Us' form on and through our Website. Furthermore, and upon accessing our Website, Cookie Data is processed by ourselves and by our third party processors throughout the duration of your session. More information on the use of cookies on our Website is found in our Cookie Notice.
Visitors at our premises: upon entering into our Premises, our front desk may manually collect the Identification Data and/or Contact Data that would be deemed proportionate and necessary in the circumstances. We may also hold images of you captured by our CCTV cameras.
Third parties generally: in each of the following categories, Identification Data and Contact Data are usually collected through direct interaction with the data subject:
- Prospective service providers: when you, as a prospective individual service provider, express an interest in doing business with us, and during the course of our negotiations or dealings;
- Persons contacting us: upon contacting us by means other than our Website, such as through a telephone enquiry or written enquiry through an instant messaging application; and
- Representatives/agents: when an individual has been sent to deal with us on behalf of another entity, be it another individual or a third party. For the purposes of this Privacy Notice, individual shareholders, company officers and/ or executives of prospective merchants that are legal persons, such as companies, comprise a separate category of data subjects, and shall accordingly be treated as such.
Prospective merchants: we may collect your personal data when you express an interest in engaging our Services, and this is typically done through:
- Direct interactions, through meetings, calls, email correspondence and/or by other means, usually when you submit the relevant Identification Data, Contact Data, Compliance Data, Financial Data and Investment Data to us; and
- Third parties and other available sources, such as the Malta Business Registry, company registers of other jurisdictions, and from electronic data searches, online search tools, anti-fraud databases and other third party databases, sanctions lists and general searches carried out via online search engines.
Individual shareholders, company officers and/or executives of prospective merchants: we may collect your personal data when the prospective merchant, of which you are a shareholder, company officer or executive, expresses an interest in engaging our Services, and this is typically done through:
- Direct interactions, through meetings, calls, email correspondence and/or by other means, usually when you submit the relevant Identification Data, Contact Data and Compliance Data to us; and
- Third parties and other available sources, such as the Malta Business Registry, company registers of other jurisdictions, and from electronic data searches, online search tools, anti-fraud databases and other third party databases, sanctions lists and general searches carried out via online search engines.
Customers and/or suppliers of our merchants: we may collect your personal data, including Travel Rule data when a transaction is made by yourself, through our merchant, over our electronic platform, and such information is typically collected indirectly through our merchant.
Individual shareholders, company officers and/or executives of legal persons that are customers and/or suppliers of our merchants: we may collect your personal data, including Travel Rule Data, when a transaction is made by the legal person of which you are an individual shareholder, company officer or executive, through our merchant (of which said legal person is a customer or supplier), over our electronic platform, and such information is typically collected indirectly through our merchant.
3. USE OF PERSONAL DATA
We will only use your personal data on the basis of legally permissible grounds in the terms of the Data Protection Laws. Most commonly, we will use your personal data in the following circumstances:
- where you wish to formally engage our Services;
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- where we need to comply with our legal and professional obligations to third parties.
We have set out below, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are, where appropriate.
Please Note: When relying on ‘legitimate interests’ as our legal basis for processing your personal data, this shall be understood to refer to our interests to conduct, manage and administer our business affairs appropriately, to protect our reputation, and to provide our clients/merchants, Website users and other data subjects about whom we may collect personal data as outlined further above in this Privacy Notice with a professional and secure experience. We make sure we consider and balance any potential impact on your rights before we process your personal data for our legitimate interests as provided in the hereunder table. Unless you have consented or it is otherwise required or permitted by law or public interest, we do not use your personal data for activities where our interests are overridden by the impact on you.
Note that we may process your personal data pursuant to more than one lawful ground or basis, depending on the specific purpose for which we are using your personal data.
DATA SUBJECT |
PERSONAL DATA PROCESSED |
LEGAL BASIS IN TERMS OF GDPR |
PURPOSE OF PROCESSING |
|---|---|---|---|
| Website Visitors |
Identification Data Contact Data |
a. Protection of our legitimate interests (or those of a third party), such that we may require this information for security, administrative and logistical purposes in the general course of our business, as well as to handle any relevant issues that may arise on a day-to-day basis. |
We may collect your personal data in order to stay organised and be in a position to respond to your queries with the intention of growing our customer base and network. |
|
b. Consent. |
We will, if you so desire, and based on the information you provide, respond to your queries and/ or provide you with further information about our Services. |
||
|
Cookie Data |
a. Protection of our legitimate interests, such that we require this information in order for our Website to function securely and in the intended manner. |
Please refer to our Cookie Notice for further information about the types of cookies that we use, the data processed and the corresponding purposes. |
|
| Visitors at our Premises |
Identification Data Contact Data |
a. Protection of our legitimate interests (or those of a third party), such that we may require this information for security, administrative and logistical purposes in the general course of our business, as well as to handle any relevant issues that may arise on a day-to-day basis. |
In this regard: - We may keep and update a visitor log which identifies the people that have visited our premises; and - We will also be positioned to defend legal proceedings, pursue any available remedies, or limit the damages that we may sustain. |
|
b. For reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued. |
We strive to ensure that our premises, as well as our data, are kept secure. Aside from keeping a visitor log, information we record about visitors may be transmitted to law enforcement and other authorities should the need arise, or should we be required to do so upon the valid request issued to us by any competent authority and/or the executive police. |
||
|
c. Consent. |
We will, if you so desire, and based on the information you provide, respond to your queries and/or provide you with further information about our Services. |
||
| Third parties generally |
Identification Data Contact Data |
a. The identification of the specific legal ground would be dependent on the case at hand. However, the more common scenarios of data Processing in this case are supported by the following legal grounds: (a) Adherence to our legal obligations generally and as applicable; (b) Eventual performance of a contract with you or a person you represent; (c) Protection of our legitimate interests (or those of a third party), such that we may require this information for security, administrative and logistical purposes in the general course of our business, as well as to handle any relevant issues that may arise on a day-to-day basis. (d) Consent. |
The specific purpose is established on a case-by-case basis. |
| Prospective merchants |
Identification Data, Contact Data, Compliance Data, Financial Data, Investment Data |
a. Adherence to our legal obligations, particularly as deriving from the Prevention of Money Laundering Act (Chapter 373 of the Laws of Malta) (the "PMLA"), the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01 of the Laws of Malta) (the "PMLFTR"), Regulation (EU) 2023/1114 which is also known as the Markets in Crypto-Assets Regulation (the “MiCAR”), and the relevant Implementing Procedures (the "IPs") as may be published by the Financial Intelligence Analysis Unit (the "FIAU"). |
In this regard: - We will verify your identity through our KYC processes; - We will be able to determine if we may enter into a contractual relationship with you; - We will be able to detect, prevent, and/or report fraud or any other criminal activity that comes to our knowledge; and - We will be able to fulfil any external mandatory reporting requirements that we may have with the FIAU, the Malta Financial Services Authority (the "MFSA"), the executive police and any other authorities. |
|
b. Adherence to our legal obligations, as primarily deriving from the Virtual Financial Assets ("VFA") Act (Chapter 590 of the Laws of Malta), the VFA Regulations (Subsidiary Legislation 590.01 of the Laws of Malta), and Chapter 3 of the VFA Rulebook issued by the MFSA. |
In this regard: - Generally, we will be able to fulfil our legal obligations as a licensed entity under the VFA legal framework; - We will be able to classify the entity you represent, being our prospective customer, as an Experienced or Non-Experienced Investor, in terms of the VFA Rulebook. |
||
|
c. Protection of our legitimate interests (or those of a third party), such that we may require this information for administrative and logistical purposes in the general course of our business, as well as to handle any relevant issues that may arise on a day-to-day basis. |
In this regard:
- We will require this information to eventually enter into a contract with you if we are to provide our Services; - We will develop and improve the manners in which we deal with financial crime; - We will be able to assist and cooperate in any criminal or regulatory investigations as may be required of us; and - We will also be positioned to defend legal proceedings, pursue any available remedies or limit the damages that we may sustain. |
||
| Individual Shareholders, Company Officers and/ or Executives of Prospective Merchants |
Identification Data Contact Data Compliance Data Investment Data |
a. Adherence to our legal obligations, particularly as deriving from the PMLA, the PMLFTR, the MiCAR and the relevant IPs as may be published by the FIAU from time to time. |
In this regard: - We will verify your identity through our KYC processes; - We will be able to determine if we may enter into a contractual relationship with the entity you represent (for example, if we are processing Compliance Data about a director who is representing a prospective corporate customer); - We will be able to detect, prevent, and/or report fraud or any other criminal activity that comes to our knowledge; and - We will be able to fulfil any external mandatory reporting requirements that we may have with the FIAU, the MFSA, the executive police and/or any other competent authorities. |
|
b. Adherence to our legal obligations, as deriving from the VFA Act, the VFA Regulations, and Chapter 3 of the VFA Rulebook issued by the MFSA. |
In this regard: - Generally, we will be able to fulfil our legal obligations as a licensed entity under the VFA legal framework; - We will be able to classify the entity you represent, being our prospective customer, as an Experienced or Non-Experienced Investor, in terms of the VFA Rulebook. |
||
|
c. Protection of our legitimate interests (or those of a third party), such that we may require this information for administrative and logistical purposes in the general course of our business, as well as to handle any relevant issues that may arise on a day-to-day basis. |
In this regard: - We will require this information to eventually enter into a contract with the entity you represent if we are to provide the Services; - We will develop and improve the manners in which we deal with financial crime; - We will be able to assist and cooperate in any criminal or regulatory investigations, as may be required of us; and - We will also be positioned to defend legal proceedings, pursue any available remedies or limit the damages that we may sustain. |
||
| Customers and/or suppliers of our merchants |
Identification Data, Compliance Data, Financial Data, Transactional Data |
a. Adherence to our legal obligations, particularly as deriving from the PMLA, the PMLFTR, the MiCAR and the relevant IPs as may be published by the FIAU from time to time. |
We will require this information in order to investigate high risk transactions made by end users of our customers over our electronic platform. |
| Travel Rule Data |
a. Adherence to our legal obligations, particularly as deriving from the Travel Rule Regulation. |
In this regard: - We will require this information in order to be able to monitor crypto-asset transactions and, depending on the nature of the information collected, execute, reject or suspend, temporarily or permanently, such transfers with the scope of preventing the abuse of crypto transfers for terrorist financing and other financial crime purposes, to detect such abuse if it occurs, and to allow relevant competent authorities to promptly access such information when and if required; and - We will need to exchange, and transfer this information to other counter-party CASPs, some of which may also be located outside of the EU/EEA, as well as potentially to relevant compentent authorities and/or the executive police, as necessary. |
|
|
b. Protection of our legitimate interests (or those of a third party), such that we may require this information for administrative and logistical purposes in the general cours of our business, as well as to handle any relevant issues that may arise on a day-to-day basis. |
In this regard: - We may need to use this information for testing purposes (generally although not exclusively through Sumsub Limited, being one of our third-party service providers) to ensure that we will ultimately be in a position to continuously meet and satisfy our legal obligations in terms of the Travel Rule Regulation; - We will need to share this information with our third-party service providers (mainly although not exclusively with Sumsub Limited, being one of our third-party service providers) that help us to stay compliant with our legal obligations, amongst which those relating to verification and monitoring processes that we need to conduct before or upon the transfer of crypto-assets; - We will require this information to be able to provide and/or continue providing our Services, including the Payhound platform being used by such customers and/or suppliers through our merchants; - We will develop and improve the measures and the manners we use to identify and deal with financial crime; - We will be able to assist and cooperate in any criminal or regulatory investigations as may be required of us; and - We will also be positioned to defend legal proceedings, pursue any available remedies or limit the damages that we may sustain. |
||
| Individual Shareholders, Company Officers and/or Executives of customers or suppliers of our merchants that are legal persons |
Compliance Data Identification Data |
a. Adherence to our legal obligations, particularly as deriving from the PMLA, the PMLFTR, the MiCAR and the relevant IPs as may be published by the FIAU from time to time. |
We will require this information in order to investigate high-risk transactions made by end users of our customers over our electronic platform |
| Travel Rule Data |
a. Adherence to our legal obligations, particulalry as deriving from the Travel Rule Regulation. |
In this regard: - We will require this information in order to be able to monitor crypto-asset transactions and, depending on the nature of the information collected, execute, reject or suspend, temporarily or permanently, such transfers with the scope of preventing the abuse of crypto transfers for terrorist financing and other financial crime purposes, to detect such abuse if it occurs, and to allow relevant competent authorities to promptly access such information when and if required; and - We will need to exchange, and transfer this information to other counter-party CASPs, some of which may also be located outside of the EU/EEA, as well as potentially to relevant compentent authorities and/or the executive police, as necessary. |
|
|
b. Protection of our legitimate interests (or those of a third party), such that we may require this information for administrative and logistical purposes in the general course of our business, as well as to handle any relevant issues that may arise on a day-to-day basis. |
In this regard: - We may need to use this information for testing purposes (generally although not exclusively through Sumsub Limted, being one of our third-party service providers) to ensure that we will ultimately be in a position to continuously meet and satisfy our legal obligations in terms of the Travel Rule Regulation; - We will need to share this information with our third-party service providers (mainly although not exclusively with Sumsub Limited, being one of our third-party service providers) that help us to stay compliant with our legal obligations, amongst which those relating to verification and monitoring processes that we need to conduct before or upon the transfer of crypto-assets; - We will require this information to be able to provide and/or continue providing our Services, including the Payhound platform being used by such customers and/or suppliers through our merchants; - We will develop and improve the measures and the manners we use to identify and deal with financial crime; - We will be able to assist and cooperate in any criminal or regulatory investigations as may be required of us; and - We will also be positioned to defend legal proceedings, pursue any available remedies or limit the damages that we may sustain. |
Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Website may become inaccessible or not function properly. This Privacy Notice should be read in conjunction with our Cookie Notice.
Change of purpose
We will only use your personal data for the purposes for which we collected it, in line with the above table, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose, or you have given us your consent to do so, or we are obliged to process your data by applicable laws or court/enforceable orders.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis upon which we are relying before doing so. Please note that we may process your personal data without the need to obtain your consent, in compliance with the above purposes, where this is required or permitted by law.
4. DATA SECURITY
We have implemented appropriate security measures to each data form so as to be able to prevent your personal data from being accidentally lost, altered or disclosed in an unauthorised manner. These include:
- Information security means, such as:
- Appropriate firewalls and security software, inclusive of anti-malware and anti-virus software;
- data segregation mechanisms and user access control;
- robust authentication measures;
- encryption;
- source code security;
- pseudonymisation of data;
- appropriate data backup measures;
- wi-fi network segregation, allowing for a separate 'Guest' network;
- mobile device management solutions; and
- Physical security means, such as fire alarms, implemented at our premises.
We also carry out periodical reviews of our data security measures and regularly perform vulnerability scans and penetration testing on our IT systems, in order to ensure that our IT security is constantly up to standard.
In addition, we limit access to your personal data to those employees, and other third parties who have a business need to know. These persons will only process your personal data on our instructions and are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
5. DATA RETENTION
We retain your personal data only for as long as we have a valid legal reason to do so. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Our standard practice is to determine whether there are any specific laws permitting or even obliging us to keep certain personal data for a certain period of time, in which case we will typically keep the personal data for the maximum period indicated by any such law.
Without prejudice to the hereunder, we would also determine whether there are any laws and/or contracts that may be invoked against us by you and/or third parties and if so, what the prescriptive periods for such actions are. These are usually two or five years. In the latter case, we will keep any relevant personal data that we may need to defend ourselves against any claims, challenges or other such actions by you and/or third parties for such time as is necessary.
Compliance Data and Investment Data will generally be retained for a minimum period of five years following termination of the business relationship or potential business relationship between us and yourself, between us and the entity you represent, or between us and our customer/merchant of which you are an end user, as may be the case. This is primarily so as to ensure that we are in line with our legal obligations as deriving from the PMLA, the PMLFTR, the MiCAR and the IPs. We may, however, retain the aforementioned data for longer periods when authorised or obliged to do so by the FIAU, other relevant authorities or any applicable legislation.
Transactional Data pertaining to customers of our merchants shall be kept for a minimum period of 10 years from expiry or termination of our business relationship with said customers. This period is based on our legal obligations as emanating from the VFA Rulebook published by the MFSA.
Financial Data, as well as any reasonably related information, shall generally be retained by us for a period of 10 years. The period has been established on the basis of Payhound's record-keeping obligations in its capacity as a private limited liability company under the applicable laws relating to corporate compliance and taxation.
Travel Rule Data, as well as any reasonably related information, shall generally be retained by us for a period of five years. The period has been established on the basis of Payhound's record-keeping obligations in its capacity as CASP under the Travel Rule Regulation as well as those emanating from the VFA Rulebook published by the MFSA. We may, however, retain the aforementioned data for longer periods of up to five years when authorised or obliged to do so by the FIAU, the MFSA, and/or other relevant authorities and/or any applicable legislation.
In all situations, and for the purpose of clarity, we may retain your data for longer than the abovementioned periods if we believe - and can accordingly justify - that we are bound to do so, or that any such extended period of retention will protect our legitimate interests (for example, in the case of ongoing legal proceedings).
In the instances not outlined above, personal data pertaining to individuals as governed by this Privacy Notice shall be retained for a period which is to be determined on an ad hoc basis, and such depending on the nature of the data collected and the purpose thereof in accordance with the rationale applied as described in this Section 5.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
For information relating to the retention of Cookie Data, please refer to our Cookie Notice.
Kindly contact us should you require further information regarding our data retention practices.
6. DISCLOSURE
We may have to grant access to, disclose or share your personal data with the parties set out below for the purposes set out in the table in Section 3:
|
IT development services |
Service providers who help us in developing software necessary for the running of our business. |
|
IT backup and cloud services |
Service providers who assist us in relation to backups for business continuity purposes so that your personal data is not lost. |
| Administration | Service providers who provide administrative assistance in order to enable us to better organise and streamline our internal administrative processes. Within this category, we are also considering service providers that will assist us in our onboarding process, such as fraud prevention and identity verification agencies and service providers, that shall undertake required due diligence and anti-fraud checks via the relevant databases. |
| Compliance with our legal obligations under the Travel Rule Regulation | Service providers that assist us in following the requirements mandated and legal obligations placed on us by the Travel Rule Regulation by collecting/receiving, verifying, and transferring personal data pertaining to originators/beneficiaries from/to counter-party CASPs before or upon a crypto-asset transaction. We are currently for such purposes making use of Sumsub Limited, a limited liability company registered in Cyprus with company number HE 405087. You may access Sumsub Limited’s privacy notice here (https://sumsub.com/privacy-notice/) should you wish to read more about the services that Sumsub provides us with and their data processing and protection practices. |
| Third party consultants and professional advisors | Service providers who assist us in various matters, including lawyers, accountants, insurers, auditors and security consultants. |
| Regulators, courts, law enforcement and other authorities | Entities that may require the disclosure of processing activities in certain circumstances, such as the FIAU, the MFSA and the executive police. |
Under normal circumstances, we will not disclose personal data to other parties not mentioned above without your consent. There may however be times where we may need to do so, such as when abiding by a court order, for the proper administration of justice, in complying with a legal request or a legal requirement, to report actual or suspected fraud, money laundering or other criminal activity, to protect your vital interests, and/ or to fulfil your requests.
We require all third parties with whom we share personal data to respect the security of such personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our documented instructions.
7. INTERNATIONAL TRANSFERS
Generally, we do not transfer your personal data to persons or entities outside the EU and the European Economic Area (the "EEA"). However, should this become necessary:
- for the performance of contractual or pre-contractual obligations between you and us;
- for the purpose of IT software support/security;
- for adherence with our legal and/or regulatory obligations;
- for important reasons of public interest;
- for the establishment, exercise or defence of legal claims; or
- for any other reason where any such transfer would be permitted in terms of law.
We shall endeavour to only transfer personal data to countries in the EU or EEA or to third countries outside the EU or EEA which are deemed to provide an adequate standard of protection for such data by the European Commission. In the absence of an adequacy decision, we will use specific contracts approved by the European Commission which give personal data the same protection it has in Europe and this unless such transfer is permitted under any one or more of the derogations under Article 49 of the GDPR.
8. YOUR RIGHTS
As a data subject, and under certain circumstances, you have certain data protection rights at law:
- ACCESS: you have the right to access your personal data and request a copy thereof.
- RECTIFICATION: you have the right to rectify any incorrect personal data that we may hold about you.
- ERASURE: you have the right to be forgotten, which enables you to ask us to delete your personal data where there is no good reason for us continuing to process it. Note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, and if we are so permitted, at the time of your request. If you opt to exercise this right, we may not always be able to continue our relationship with you or continue providing our Services to you.
- RESTRICTIONS ON PROCESSING: you have the right to request the restriction of our processing. This can be done in the following cases: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. If you opt to exercise this right, we may not always be able to continue our relationship with you or continue providing our Services to you.
- PORTABILITY: you have the right to data portability. Your data may be requested in a machine-readable format (for example, in the form of a spreadsheet or a '.csv' file) and you may also ask that your data be transferred directly to another person or service provider. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- OBJECTIONS TO PROCESSING: you may object to the processing of your data where we are relying on legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- WITHDRAWAL OF CONSENT: if you have provided consent for the processing of your data you have the right, in certain circumstances, to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent was withdrawn. Any processing activities that are not based on your consent will remain unaffected.
- AUTOMATED DECISION-MAKING AND PROFILING: you shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Note that we do not exercise decision-making and profiling in an automated manner.
If you wish to exercise any of the rights set out above, please contact us - kindly refer to Section 9.I. 'Enquiries' for further information on the manner in which may do so. We will try to respond to all legitimate requests within one month and may require that you send over specific information to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights as outlined directly above).
No fee will be charged to access your personal data (or to exercise any of the other rights mentioned above). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
Please note that none of these data subject rights are absolute, and must generally be weighed against our own legal obligations and legitimate interests. If we are permitted, and if a decision is taken to override your data subject request, we will inform you.
9. MISCELLANEOUS
I. ENQUIRIES
Should you desire to:
- Make any enquiry regarding your personal data;
- Have your personal data corrected; or
- Request access to your personal data,
you may contact us on the below contact details. We may refuse such requests or charge a reasonable fee where these requests are manifestly repetitive or excessive.
Any request must be made in writing and must also include your name, address, email address and a description of the information or correction required. We may also ask for identification documentation, which is essential in order for us to be able to verify your identity.
Postal address: |
Level 0A, Centris Business Gateway II, Triq is-Salib tal-Imriehel, Zone 3 Central Business District, CBD 3020, Birkirkara, Malta |
|
Email address: |
II. COMPLAINTS
We strive to be receptive to your concerns and would appreciate it if you would contact us in the first instance should you believe that we have breached any privacy rules.
Nonetheless, should you feel wronged by our data protection practices, you may file a complaint with the data protection supervisory authority of your country of residence. In Malta, this would be the Office for the Information and Data Protection Commissioner, the contact details of which are as follows:
OFFICE OF THE INFORMATION AND DATA PROTECTION COMMISSIONER [MALTA]
Email: [email protected]
Phone: +356 2328 7100
III. GOVERNING LAW
This Privacy Notice is governed by and construed in accordance with the laws of Malta.