The protection of personal data is of particular importance to Payfac24 sp. z o.o. (Payfac24).
In accordance with the General Data Protection Regulation (GDPR) and the relevant provisions of Polish data protection law, we provide the following information regarding the nature, scope, and purpose of the processing of personal data.

1. Data controller

Payfac24 Limited Liability Company, with its registered office in Warsaw, at 1 Jana Henryka Dąbrowskiego Square, 00-057 Warsaw, Poland, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court for the Capital City of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under KRS number 0001200055, Tax Identification Number (NIP): 5253064808. REGON: 542997060

Email: info@payfac24.pl

Website: www.payfac24.pl

2. Data Protection Officer

Questions regarding data protection may be directed at any time to Payfac24 or directly to the Data Protection Officer:

Patrycja Izydorek-Szymańska

p.szymanska@payfac24.pl

You may contact the Data Protection Officer regarding any matters related to the processing of personal data and the exercise of your rights under the GDPR.

3. Legal basis

The processing of personal data is carried out in accordance with Article 6(1)(a)–(f) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), in conjunction with national data protection laws, in particular the Personal Data Protection Act, depending on the purpose of the data processing.

4. Data Processing Policies

Payfac24 processes personal data exclusively:

• in accordance with the law,
• for specific purposes,
• to the extent strictly necessary,

• for the purposes of direct marketing of our own services – pursuant to Article 6(1)(f) of the GDPR,
• Handling complaints and inquiries – pursuant to Article 6(1)(f) of the GDPR.

Payfac24 is not a payment institution, an electronic money institution, or a party to agreements entered into with end customers.

The processing is carried out exclusively as part of support services provided to affiliated entities.

5. Processing of personal data

a) Use of the website

When you visit this website, the following data may be processed for technical reasons and to ensure the security of our IT systems:

• the user's IP address (where possible, in a shortened or pseudonymized form),
• date and time of access to the website,
• visited subpages,
• web browser type,
• the user's device operating system.

This data is processed to ensure the proper functioning of the website, maintain the security of the IT infrastructure, and analyze any technical errors.

Legal basis for data processing:

Article 6(1)(f) of the GDPR– the controller’s legitimate interest in ensuring the security and proper functioning of the website.

b) Contact

When contacting Payfac24 via email, the contact form, or other communication channels, the personal data provided by the person making contact is processed, specifically:

• first and last name,
• email address,
• company identification information (if applicable),
• the content of the inquiry or correspondence.

This data is processed solely for the purpose of handling your inquiry, conducting correspondence, and providing a response.

Legal basis for data processing:

Article 6(1)(b) of the GDPR– with respect to actions taken at the request of an individual prior to entering into a contract and

Article 6(1)(f) of the GDPR– the controller’s legitimate interest in handling inquiries and communication.

c) Individual customer inquiries (payment identification)

If individual customers contact Payfac24 to request verification of a charge labeled “Payfac24,” the data provided in the inquiry is processed, specifically identification data and information regarding the payment in question.

Data is processed solely for the purpose of:

• substantive identification of payments and
• the orderly transfer of the matter to the relevant contractual partner responsible for executing the transaction.

Payfac24 in this regard:

• does not make decisions regarding claims or complaints,
• does not manage contractual relationships between the client and the factor or service provider,
• does not provide payment services on its own behalf.

Legal basis for data processing:

Article 6(1)(f) of the GDPR– the controller’s legitimate interest in handling inquiries regarding payment identification and forwarding the request to the relevant contractual partner.

d) Merchant and partner inquiries (Microsoft Forms)

Inquiries from merchants and business partners can be submitted via an external form provided by Microsoft (Microsoft Forms).

In this case, the personal data provided in the form may be processed, specifically:

• first and last name,
• email address,
• name of the company or organization,
• other contact information,
• the content of your inquiry or report.

This data is processed for the purpose of handling inquiries, conducting business communications, and taking steps to establish a business relationship or carry out an existing one.

Legal basis for data processing:

Article 6(1)(b) of the GDPR– actions taken at the request of an individual prior to entering into a contract,

Article 6(1)(f) of the GDPR– the controller’s legitimate interest in handling business inquiries and maintaining relationships with partners.

In connection with the provision of the Microsoft Forms service, personal data may be processed by Microsoft as a data processor acting under a data processing agreement entered into with the data controller.

Data may be processed on servers located within the European Economic Area and, in some cases, outside of it. When transferring data to third countries, Microsoft applies appropriate safeguards as required by data protection laws, in particular the standard contractual clauses approved by the European Commission.

Detailed information regarding Microsoft’s data processing practices is available in Microsoft’s privacy policy at https://privacy.microsoft.com.

6. Data transfer

Personal data may be disclosed to other entities only to the extent necessary to achieve the purposes of processing and in accordance with applicable data protection laws.

The recipients of personal data or categories of recipients may include, in particular:

• entities affiliated with Payfac24, to the extent necessary to handle inquiries or carry out business cooperation,
• contractual partners responsible for executing or processing a given transaction, particularly in the case of inquiries regarding payment identification,
• providers of technical and IT services that support the operation of Payfac24’s IT systems (e.g., hosting, IT system maintenance, communication tools),
• entities providing consulting, legal, accounting, or auditing services, to the extent necessary to perform such services,
• entities that process personal data on behalf of the controller under data processing agreements,
• public authorities or other entities authorized to receive the data under applicable law.

When using the services of technology providers, personal data may be processed on their IT infrastructure. The controller ensures that these entities process data solely on the basis of appropriate agreements and in accordance with applicable data protection laws.

If, in connection with the use of services provided by technology providers, personal data is transferred outside the European Economic Area, such transfers are carried out using the appropriate safeguards required by the GDPR, in particular the standard contractual clauses approved by the European Commission or other mechanisms provided for in data protection regulations.

7. Data retention period

Personal data is retained only for as long as is necessary to fulfill the purposes for which it was collected, in accordance with applicable laws and the legitimate interests of the controller.

In particular, personal data may be stored for the following periods:

• data processed in connection with the use of the website—for the period necessary to ensure the proper functioning of the website and the security of IT systems, generally no longer than the period determined by the configuration of system logs,
• data processed in connection with inquiries submitted to Payfac24 (via email or the contact form)—for the period necessary to handle the inquiry and conduct correspondence, and subsequently for up to 12 months for the purpose of resolving any issues or pursuing claims,
• data processed in connection with inquiries regarding payment identification—for the period necessary to identify the transaction and refer the matter to the appropriate contractual partner, and subsequently for the period necessary to safeguard any potential claims or resolve the matter,
• Data processed in connection with inquiries from merchants and business partners—for the duration of the correspondence and for the period necessary to establish or carry out a business relationship, and subsequently for the period required by law or necessary to safeguard claims.

If the processing of personal data is based on consent, the data will be processed until such consent is withdrawn, unless there is another legal basis for its continued processing.

After the specified periods have elapsed, personal data is deleted or anonymized, unless further retention is required by law or necessary to establish, pursue, or defend legal claims.

8. Rights of data subjects

Data subjects have rights under data protection laws, in particular:

• the right to access data andobtain information about the rules governing its processing (Article 15 of the GDPR),
• the right to have data rectifiedif it is inaccurate or incomplete (Article 16 of the GDPR),
• the right to erasure(“the right to be forgotten”), provided that the conditions set forth in Article 17 of the GDPR are met,
• the right to restrict data processingin the cases specified in Article 18 of the GDPR,
• the right to have data transferred toanother controller, to the extent specified in Article 20 of the GDPR,
• the right to object todata processing based on the controller’s legitimate interests (Article 21 of the GDPR).

If data processing is based on consent, the data subject also hasthe right to withdraw consent at any time; however, the withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

To exercise your rights, you may contact the data controller at any time, specifically by email at:info@payfac24.pl.

As a general rule, the exercise of these rights is free of charge. However, the controller may charge a reasonable fee for requests that are manifestly unfounded or excessive, in accordance with the provisions of the GDPR.

9. Right to file a complaint

Data subjects have the right to lodge a complaint with the competent data protection supervisory authority, in particular in the Member State of their habitual residence, place of work, or the place where the alleged infringement of data protection regulations occurred.

In Poland, the supervisory authority responsible for matters related to the protection of personal data is:

President of the Personal Data Protection Office (UODO)

2 Stawki Street, Warsaw, Poland

https://uodo.gov.pl

10. Data security

Payfac24 implements appropriate technical and organizational measures to ensure an adequate level of security for personal data and to protect it against accidental or unlawful loss, destruction, alteration, unauthorized disclosure, or access.

When assessing the appropriate level of security, particular consideration is given to the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing.

These measures are regularly reviewed and adapted to reflect the current state of the art, the nature of the data being processed, and the risk of infringement of the rights or freedoms of data subjects.

11. Changes to this Privacy Policy

Payfac24 reserves the right to amend this privacy policy in the event of changes in the law, technological or organizational changes, or changes related to the processing of personal data.

The current version of the privacy policy is always published on the Payfac24 website.