Privacy Policy and GDPR

This Privacy Policy („Policy”) describes how Payana Solutions LDA („Payana,” „Cards4ads,” „we,” „us,” or „our”) collects, uses, shares, and stores personal data. This notice is issued pursuant to the EU General Data Protection Regulation (GDPR) and applies to you if you are located in the European Economic Area (EEA). Furthermore, this Policy delineates the rights you hold as a data subject, including the right to object to certain uses of your Personal Data by us.

The term „Personal Data” refers to any information that pertains to a specific person who can be identified or is identifiable. It encompasses both the information you provide to us and the data we gather about you, including details obtained when you interact with our Services (e.g., device information, IP address).

The term „Services” encompasses the products and services offered by Payana that fall within the scope of this Policy. Our „Business Services” refer to the Services provided by Payana to entities („Business Users”) who directly or indirectly share with us „Customer” Personal Data related to their own business and activities

The term „Sites” refers to cards4ads.com and other websites, applications, and online services that are specified by Payana as being included in this Policy. When we mention „Services,” we are collectively referring to Sites, Business Services, and End User Services provided by Payana.

Depending on the specific situation, the term „you” can refer to different individuals: the End User, the Representative, or the Visitor.

• If you are directly utilizing an End User Service for personal purposes, such as signing up for Link or making a payment to Payana in your individual capacity, we will address you as an „Customer”
• If you are acting on behalf of an existing or potential Business User (e.g., as a company founder, an account administrator for a company that is a Business User, or a recipient of a payment from a Business User through Payana), we will refer to you as a „Representative.”
• If you visit a Site without logging into a Cards4ads.com account or engaging in any communication with Payana, we will identify you as a „Visitor.” For instance, if you send Payana a message seeking additional information because you are contemplating becoming a user of our products, you will be categorized as a Visitor.

Depending on the specific activity, Payana assumes the role of a „data controller” and/or „data processor (or service provider).” For further details regarding this distinction and to learn about the Payana entity responsible for the matters outlined in this Policy, please refer to the further information:

1. Collection and Usage of Personal Data

Our collection and utilization of Personal Data are contingent upon your role as an Customer,  Representative, or Visitor, as well as the specific Services involved. For instance, if you are a business owner, we may gather Personal Data to facilitate the onboarding process for your business.

In this Privacy Policy, the term „Transaction Data” encompasses Personal Data, which may consist of details such as your name, email address, phone number, address, identification document number, and business information.

We collect and process various personal data about you, including but not limited to the following:

• Information you provide: This includes personal data you provide to us when completing forms on our website. The information may include your name, email address, phone number, country, full company information. Additionally, you may provide contact details, address, financial information, transaction information and other bank details to facilitate contractual obligations or payments related to goods or services provided to us.
• Correspondence and communications: If you contact us via email, we maintain records of the correspondence or communication.
• Website and communication usage details: We gather information regarding your visits to our websites, which includes data collected through cookies and other tracking technologies. This information encompasses your IP address, domain name, browser version, operating system, browser language, access time, traffic data, location data, web logs, website interactions, and referring website addresses. We may also utilize these technologies to track email openings and link clicks.

We ensure that we have a valid legal basis for processing your personal data. This may involve relying on your consent, the necessity of processing to fulfill a contract with you, protection of your vital interests or those of others, or compliance with legal obligations. Additionally, we may process your personal data based on our legitimate interests, taking into account your rights and interests.

To effectively communicate with you and conduct our business, including meeting your requests, we may utilize your personal data in the following ways:

• Responding to your contact requests: We use your personal data to promptly address and respond to any inquiries or requests you submit to us.
• Proposal and business requests: If you express interest in conducting business with us, we use your personal data to provide you with relevant information, respond to your requests for proposals or offers, or contact you regarding potential business opportunities.
• General communication: We may use your personal data to engage in communication with you or with relevant internal and external parties concerning matters related to you.
• Fulfillment of contractual obligations: When necessary, we process your personal data to fulfill our obligations arising from any agreements or contracts entered into between you and us.

Our use of your personal data for these purposes is typically based on your informed consent, contractual necessity (where processing is essential to fulfill our obligations), or our legitimate interests (where we have valid business interests that require the use of your personal data).

Please note that we prioritize protecting your privacy rights and interests throughout these data processing activities.

Processing methods:

Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, examination, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, sampling, erasure or destruction.

2. Legal bases for processing data

For the purposes of the General Data Protection Regulation, we rely upon a number of legal bases to enable our processing of your Personal Data.

1. Contractual and Pre-Contractual Business Relationships.: In order to establish business relationships with potential Business Users and fulfill our contractual obligations, we process Personal Data. These activities include:

• Creation and management of Payana accounts: We collect and manage Personal Data to create and oversee Payana accounts, including evaluating applications to initiate or expand the utilization of our Services.
• Accounting, auditing, and billing: Personal Data is processed for accounting, auditing, and billing purposes.
• Payment processing: We process payments, which includes activities such as fraud detection, loss prevention, optimization of valid transactions, communication regarding payments, and providing customer service related to payments.

1. Legal Compliance: To comply with our obligations related to fraud monitoring, prevention, and detection, as well as legal requirements associated with identifying and reporting illegal and illicit activities, such as Anti-Money Laundering (AML) and Know-Your-Customer (KYC) obligations, and financial reporting, we process Personal Data. This includes:

• Identity verification: We process Personal Data to verify the identity of individuals and entities, as required by law. For instance, we may need to record and verify a User’s identity to meet legislative requirements aimed at preventing money laundering and financial crimes.
• Reporting obligations: We may be obligated by law to report our compliance with these regulations to third parties. Additionally, we may be subject to third-party verification audits to ensure our adherence to these obligations.

These legal compliance activities are necessary for us to fulfill our obligations imposed by applicable laws and regulations, and they may involve the processing of Personal Data.

• Consent: In certain instances, we may rely on your consent to collect and process Personal Data, particularly in relation to how we communicate with you and provide our Services, including Link, Financial Connections, and Identity. When we process data based on your consent, you have the right to withdraw your consent at any time. Please note that withdrawing your consent does not affect the lawfulness of any processing conducted prior to the withdrawal, which was based on your consent.

3. Data protection rights and data procesing period

Depending on your location and applicable law, you may have the following rights concerning the Personal Data that Payana controls about you:

• You have the right to request confirmation of whether Payana processes Personal Data about you and, if so, to obtain a copy of that Personal Data.
• You have the right to request that Payana correct or update any of your Personal Data that is inaccurate, incomplete, or outdated.
• In certain circumstances provided by law, you have the right to request that Payana delete your Personal Data.
• You have the right to request that Payana limit the use of your Personal Data in certain situations, such as while Payana evaluates another request you have submitted (including a request to update your Personal Data).
• Where technically feasible, you have the right to request that Payana transfer your Personal Data to another company.
• If the processing of your Personal Data is based on your consent, you have the right to withdraw that consent at any time.
• If Payana processes your information based on its legitimate interests, you may have the right to object to such processing. Payana will cease processing your information unless it has compelling legitimate grounds or legal reasons to continue.

Please note that the availability and scope of these rights may be subject to local laws and regulations.

3.1 Processing Period:

For individuals or companies who are citizens or registered in European Union countries, or who have been verified to work with European Union citizens or companies, the processing period for Personal Data ends after 5 (five) years from the termination of the interaction between the Customer and Us. However, upon request from the competent authority, the Personal Data storage period may be extended from 5 (five) to 7 (seven) years.

For individuals or companies who are not citizens or registered in European Union countries, and who have not been verified to work with European Union citizens or companies, there is no specific time limit for the processing of Personal Data. The Controller and its Processors may continue to process the Personal Data even after the termination of the interaction between the Consumer and Service.

In addition to the above, I confirm that I have been informed of the following information during the duration of this consent:

Legal basis for the Personal Data processing: General Data Protection Regulation of April 27, 2016 (GDPR);

Identity and Contact Details of the Controller

Payana Solutions LDA, whose registered office is located at Edifício Infante, Avenida D. João II, n.º 35, 11.º A/D 1990-083 Lisboa, Portugal, is the data controller.

Data Protection Officer

Our Data Protection Officer, can be reached at [email protected].

3.2 Cookies and Browsing Information

To facilitate users’ navigation on our website, Payana uses cookies and other storage methods with similar functionality (hereinafter „Cookies”).

Cookies are small pieces of information that are saved onto the device from which the Service is accessed and which allow Payana to provide certain services such as the ability to recall certain aspects of your most recent content search so that subsequent searches will be faster. Cookies can be removed from your device if you so desire. Most browsers will automatically accept Cookies. However, you can change the settings of your device to prevent Cookies being saved or to remove Cookies which may already be present on your device. Most of the services of our Website can be used without Cookies.

Payna uses its own Cookies and Third Party Cookies as follows:

• Cookies which are strictly necessary to provide a service expressly requested by the user: Specifically, Payana uses the necessary cookies to save a User’s login.
• Session Cookies: These Cookies are saved and valid for a fixed period of time only, that is, until the user quits navigating or using the Service. These Cookies do not permanently save any information onto your device.
• Navigation Cookies: The primary objective of these Cookies is to avoid offering you recommendations which are unrelated to your areas of interest, as well as to provide you with targeted and personalized commercial offers. Navigation Cookies function by temporarily tracking your Internet navigation. You can remove this type of cookie before starting a navigation session in the Service

You can configure your browser to accept or reject all Cookies by default, or to receive an on-screen notification each time a Cookie request is made at which point you can decide whether or not to allow said cookie to be saved onto your hard drive. To this end, we recommend that you consult the help section of your browser for information on how to change the settings that you currently use or use browsers in “incognito” mode. Should you decide to reject all Cookies, you will continue to be able to navigate the Platform but your access to certain sections may be limited. For more information regarding how to manage cookies, we recommend you visit http://www.aboutcookies.org

3.3 Third parties, to whom the Controller and/or the Processor may transfer the Customer Personal Data for processing for the purposes and in the ways indicated in this Consent:

3.3.1. Centers for personal data processing and storing (data processing centers, data centers):

Provided Personal Data: All Personal Data listed in this Consent;

Personal Data provision purpose: Customer/Visitor  Personal Data safe storage;

List of data processing centers:

OVH -Becket House, 1 Lambeth Palace Road, London SE1, United Kingdom

3.3.2. State authorities authorized to receive personal data; auditors, consultants, accountants, notaries, lawyers (if necessary):

Provided Personal Data: All Personal Data listed in this Consent;

Personal Data provision purpose: The Controller provides the Customer Personal Data solely in case of the disclosure requirement to authorized official authorities or persons in accordance with the applicable law, order, decree, court decision and in the minimum necessary extent.

3.3.3. Our employees who are in contact with the Customer or who are responsible for marketing, customer support, IT department who are responsible for providing support to our Customer, analyzing and improving our Website and Services.

Validity period of the consent:

• If the Customer is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries, this Consent is valid for the minimum required period of the Customer Personal Data processing, namely within 5 (five) years from the date of the termination of interaction between the Customer and Payana. The Personal Data storage period may be extended from 5 (five) to 7 (seven) years from the date of the termination of interaction between the Customer and Payana;
• If the Customer is not a citizen or a company registered in a European Union country and has not been verified to work with citizens or companies registered in the European Union countries, the Personal Data processing period for such Customer is unlimited and Customer consents that such Personal Data may be processed by the Controller and its Processors after the termination of the Customer Agreement between Customer and Payana.

Special rules for Customers that are citizens of European Union countries or have been verified to work with citizens of the European Union countries:

• Consent withdrawal: If the Customer is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries, the Controller is obliged to comply with the GDPR Directive on the specified above minimum period for such Customer Personal Data storage. The Personal Data Subject understands, agrees and confirms that the right to withdraw this Consent cannot be applied prior to the mandatory Personal Data storage period expiration in accordance with the provisions of the GDPR Directive;

If the Customer is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries has not withdrawn this Consent after five (5) years following to the termination of interaction between the Customer and Payana. in the Customer Agreement framework, the Controller, provided that the competent authority does not require the extension of the Personal Data processing to 7 (seven) years period, at the end of this five-year period erases the personal data by irrevocable destruction, and also informs all third parties to whom the Controller and/or Processors transferred the Customer Personal Data regarding such erasure, and demands the implementation of similar actions on their part.

• Customer that is a citizen or a company registered in a European Union country or has been verified to work with citizens or companies registered in the European Union countries is also notified that at any time of the Consent validity period he has the right to:
• Access the Personal Data, i.e. has the right to request and obtain from the Controller a confirmation as to whether or not personal data are being processed / access to Personal Data and the following information: the purposes of the processing; the categories of personal data concerned, all possible recipients of the Personal Data, where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• Obtain from the Controller without undue delay the rectification of inaccurate Personal Data, the completion of Customer’s incomplete Personal Data, as well as require the receipt of notifications from the Controller regarding any corrections, additions, erasures or limitations to the Personal Data processing;
• Erasure of the Personal Data (“right to be forgotten”) if: personal data no longer necessary in relation to the purposes for which they were collected or otherwise processed; the Personal Data Subject withdraws the Consent, and there is no other legal ground for the processing; the Personal Data Subject objects to the Personal Data processing and there are no overriding legitimate grounds for the processing; Personal Data has been unlawfully processed; Personal Data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; Personal Data has been collected in relation to the offer of information society services to a child (taking into account the provisions of Article 8 (1) of GDPR);
• Obtain restriction of Personal data processing if: the accuracy of the personal data is contested by the Customer, for a period enabling the Controller to verify the accuracy of the personal data; the processing is unlawful and the Customer opposes the erasure of the personal data and requests the restriction of their use instead; the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Customer for the establishment, exercise or defense of legal claims; the Customer has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Customer;
• Personal Data portability, i.e. to receive the Personal Data, which Customer has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller;
• Object to Personal Data processing, and as result the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the Personal Data processing which override the interests, rights and freedoms of the Customer or for the establishment, exercise or defense of legal claims (where personal data is processed for direct marketing purposes, the Customer shall have the right to object to processing of personal data for such marketing, and the Controller shall no longer process the Personal Data for such purposes);
• File a complaint regarding the Controller/Processors actions to the supervisory authority.

Refusal to grant the Consent: Personal Data Subject hereby confirms that he has been notified that the provision of this Consent is not mandatory and the Customer may at any time refuse it. However, the Consent granted by the Customer is a requirement necessary for the conclusion of the Customer Agreement between the Customer and Payana. In the case of absence of the Customer signed Consent, the contractual relationship between the Customer and Payana does not arise.

3.4. Security: We have implemented cutting-edge technical and organizational security measures to protect the data in our possession from any kind of unfortunate incidents as accidental data loss, misuse, alteration, disclosure, destruction or unauthorized access, as well, access of your data is limited only to authorized personnel that will process your data subject to a duty of confidentiality. However, no data transmission on the internet can be guaranteed 100% to be safe from intrusion but we have a set of procedures to follow in case we need to deal with any suspected or actual data security breach. In such case, we will notify you right away and the supervisory authority of a suspected breach where we are legally required to do so.

3.5  Data collecting from Minors: Payana has a strict policy of not knowingly collecting any Personal Data or information from individuals who are under the age of eighteen (18) years. In the event that we become aware of any personal information collected from a minor, we will promptly delete all such information from our database.

3.6: Customer Rights, Queries, and Complaints

As a customer, you have certain rights pertaining to your personal data and the ability to address any concerns or complaints.

• You have the right to request modifications or rectifications to your personal data stored in our database, such as contact and billing information. To do so, you can contact us at [email protected] or open a support ticket through your customer dashboard.
• You have the right to restrict, refuse, or revoke your consent for the processing of your Personal Data. However, please note that terminating the processing of your Personal Data may make it difficult or even impossible for us to provide services to you.
• You can exercise your right to data portability by requesting a copy of your Personal Data, provided you have not already deleted it. This copy will be provided to you in a structured, common, and machine-readable format. Additionally, you can request information about all the Personal Data we have stored about you. To make these requests, please contact us at [email protected].
• If you have any questions, concerns, or complaints regarding our data collection and handling practices, we encourage you to reach out to us via email at [email protected].

4. Changes to Our Privacy Notice

Any changes we make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by email.

If you have any questions, concerns or complaints about our Privacy Notice, our privacy practices, or our data processing activities, you can contact our Data Protection Officer.

Last Updated: 01.06.2023