This Privacy Policy rules the User’s (“Client” or “Merchant” or “You” or “Your”) use of products,
services, technology, and content, offered by OROPAY (or the “Company” or “We”) through its
platform, website and any other feature that collectively constitute the OROPAY services offering. It
also governs without limitation the provision and use of the User’s personal data and information in
relation to the provided services.
As a User, by entering into an agreement with OROPAY, setup your account, access or use any of the
services, you accept and consent to this Privacy Policy, and by doing so you consent to the use and
disclosure of your personal information by OROPAY as provided for herein.
Please contact us if you have questions about our privacy practices that are not addressed in this
Privacy Policy.
DEFINITIONS
“Controller” shall mean OROPAY;
“Personal Data” or “Information” shall mean any information relating to an identified or
identifiable User including legal persons such as Merchant entities and which will be provided in
relation to receiving the OROPAY services. An identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an identification number or to one or more factors
specific to his physical, physiological, mental, economic, cultural or social identity;
“Personal Data Filing System” or “Filing System” shall mean the OROPAY system where the
personal data of the User is stored;
“Policy Update” shall mean any notice given to the User in relation to policy changes prior to them
taking effect;
“Processing of Personal Data” or “Processing” shall mean any operation or set of operations which
is performed upon personal data, whether or not by automatic means, such as collection, recording,
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination, blocking,
erasure or destruction;
“Processor” shall mean a natural or legal person, public authority, agency or any other body which
processes personal data on behalf of OROPAY;
“Third Party” shall mean any natural or legal person, public authority, agency or any other body
other than the User, OROPAY, and the persons who, under the direct authority of OROPAY, are
authorized to process the data;
“Recipient” shall mean a natural or legal person, public authority, agency or any other body to whom
data are disclosed, whether a third party or not; however, authorities which may receive data in the
framework of a particular inquiry shall not be regarded as recipients;
“the User’s Consent” shall mean any freely given specific and informed indication of his wishes by
which the User signifies his agreement to personal data relating to him being processed.
OVERVIEW
OROPAY has developed this Privacy Policy, in accordance with the requirements set out in the EU
2016/679 General Data Protection Regulation, to explain how we may collect, retain, process, share
and transfer your Personal Data when you visit our Site or use our Services.
OROPAY will not sell, lease, or otherwise distribute any of the User’s information to third parties for
marketing purposes unless the User explicitly consents to such sale, lease or distribution. This does
not preclude OROPAY from providing third parties such information that may be needed to enhance
the User experience or to simply offer certain services to the User, and in such instances OROPAY will
take every commercially reasonable precaution to safeguard the interests of the User from any
misuse of his personal data by the third party. Information to third parties will be provided under
strict restrictions as those are described in the “Information Sharing” section of this policy.
The Privacy Policy may be amended from time to time at OROPAY’s sole discretion and as required
by applicable laws and regulation. The amended version of the Privacy Policy will be posted on the
OROPAY website (www.oropay.com) and will be deemed as received by all Users. If the revised
version includes a substantial change, we will provide you with 30 days prior notice (prior to the
changes taking effect) either by posting such notice in an accessible area on the OROPAY website
(www.oropay.com) and/or by sending an email notice to all Users, as per clause 2.12 of Terms &
Conditions of Service (General Client Agreement) posted online on OROPAY website (and as
amended from time to time).
This Privacy Policy does not cover any third party websites whose access and use is governed by
their own privacy policies. OROPAY may provide links to such websites and the User acknowledges
that the provision of such links for access to such third party websites, do not make OROPAY
responsible for their operations and use of personal information practices. OROPAY strongly
recommends to its Users to carefully review the privacy policies of such third party websites prior to
submitting any personal information.
Persons under the age of 18 are not eligible to use the OROPAY services. We do not knowingly collect
information, including Personal Data, from children or other individuals who are not legally able to
use our Sites and Services. If we obtain actual knowledge that we have collected Personal Data from
a child under the age of majority, we will promptly delete it, unless we are legally obligated to retain
such data. Contact us if you believe that we have mistakenly or unintentionally collected information
from a child under the age of majority.
COLLECTION OF INFORMATION
We collect Personal Data about you when you visit our Site or use our Services, including the
following:
Registration and use information: during the registration process OROPAY requires you
to provide verifiable information, such as but not limited to:
information you may be asked to provide to prove you are eligible to use our services.
home internet – or bank statement, up to 6 months)
CVC (the last three digits of the number on the back of the card);
registered office address, memorandum and articles of association, corporate
documents, recent audited financial statements, identification and proof of address of
beneficial owners, directors, authorized persons and any power of attorney.
OROPAY may require you to provide us with additional Personal Data as you use our Services.
Additional Client Information: For certain high value transactions, or for high overall
transaction volumes performed through the User’s OROPAY account, or as is otherwise
required for OROPAY to be compliant with its anti-money laundering obligations under
European law, OROPAY will require additional identification information and for legal
entities commercial information.
OROPAY may use a variety of information sources that do not violate any personal
information privacy rules, in its merchant assessment process. It may also request
additional information from Clients if it is unable to verify the identity their identity with
the personal data in hand, or if the Client requests to redeem the e-money to an account
other than the funding source accounts it provided when entering into the Agreement with
OROPAY.
Client provided information may be verified with third party providers such as but not
limited to payment processors as a measure to enhance the Users’ protection. Such
verification may involve the receipt and processing of information that will verify the
Client’s identity. Where a legal entity (merchant or user) is involved with limited
operational history, and/or in cases of high value transactions or overall high-volume
transactions, OROPAY will conduct enhanced due diligence that will involve background
checks (including credit and judicial) of the legal entity to ascertain its business operations
status. Such background checks may also include the legal entity’s ultimate beneficial
owner(s) as well as its directors (as the law of the jurisdiction may permit). OROPAY may
also elect to collect information that is publicly available over the internet or through social
media platforms, in an attempt to create a more holistic profile of the merchant’s business
that may include but not be limited to market positioning, reputation, target market and
customer base. The profile will be used to confirm the transaction volume and size.
Information on transactions: OROPAY will also ask the Client to provide information
relevant to the transaction when sending or asking to receive money from another party.
Such information will include a description of the transaction and the amount. When
sending money to another OROPAY client, the Client will be asked to provide additional
personal information of the receiving client in order to verify the recipient and the sending
client may be asked to provide additional personal data to the recipient for the recipient to
be able to identify the sender and accept the transaction.
Information from your device: In order to offer its services, OROPAY may collect and store
sign on data from the device the Client uses to enroll or to access their account that may
uniquely identify the device (such as device ID), as well the device’s geographical location
(and by extension its User). Such information may be collected irrespective of the type of
device used or the connectivity method (wired or wireless, Wi- Fi or mobile). OROPAY will
collect Client IP information and other information that will assist it in detecting potentially
unauthorized transactions in an effort to protect Client interests.
Information about your visit: OROPAY will also collect information that relates to the
Client’s OROPAY website access and includes but is not limited to visiting and leaving the
website, the OROPAY website page browsing history, the Client’s IP address of where the
website was accessed, the time that was accessed and any other websites visited through
links on OROPAY’s website. OROPAY will also use small data files such as cookies, and place
them on the Client’s device in an effort to enhance and personalize the Client experience, as
well as to strengthen the security measures taken to protect the Client’s account by
mitigating the risk of fraud. OROPAY has developed its own Cookie Policy that can be
accessed via the OROPAY website (www.oropay.com) by all visitors (both registered users
and guests). All OROPAY website visitors have the right to accept or decline the Cookie
Policy. OROPAY cannot guarantee that the browsing of its website and/or the access to the
OROPAY services will be seamless and problem free if the Cookie Policy is declined.
Records of our discussions: All communication between the Client and OROPAY will be
recorded and retained for reference purposes when and if required by the Company or the
regulatory authority that supervises the operations. In cases where personal information
may be collected with the use of optional collection methods such as survey questionnaires
and special offers for the creation of a demographic profile and/or assessment of Client
specific interests, OROPAY will inform you how the information may be used before the
Client decides to participate.
All information procured during the account opening process, including the information
used for verification of the information, the device specific and location information
collected during the accessing of the website and the Client’s account, the information
relating to the payment and commercial transactions as well as any Client reports or
statements generated, the Client account preferences and any correspondence between the
Client and OROPAY will constitute the Account Information that relate to the Client for the
purposes of this Privacy Policy.
INFORMATION USE
Information collected from Clients are primarily used for the provision of the OROPAY services in a
manner that OROPAY deems fit to enhance the Client experience by making it safer, more targeted,
efficient and effective.
The Client acknowledges and agrees that personal information provided for the OROPAY service (in
the beginning and during the course of the relationship), can be used by OROPAY to predominantly:
limit of the account);
programs apply;
the terms of the OROPAY agreement.
OROPAY may communicate with its clients regularly through direct email communication and
through general announcements/postings on its website. It also reaches Clients via telephone for
even more direct communication for a variety of reasons including but not limited to:
OROPAY will contact the Client via email to confirm account opening, to send transaction
confirmation notices as well as service notices, including product and service changes, changes in the
terms and conditions of the Agreement as well as regulatory disclosures and information required
by applicable law. These email notifications are compulsory and the Client has no option to stop
receiving them.
OROPAY will also send other email notifications which are of a promotional or general information
nature, such as news and third party promotions, and are therefore not compulsory giving Clients
the option to stop receiving them. The option to receive or stop such email communication can be
managed through the Client’s online account interface, or alternatively by contacting one of
OROPAY’s representatives and asking them to opt-out of such email service. SMS may also be used as
an alternative to email and in such instances it should be deemed as if the communication was by
email and treated in the same manner.
Information may also be provided to the OROPAY auditors who may request such information in the
course of reconciliation exercises and for the purpose of contacting clients to confirm the accuracy of
OROPAY’s records.
INFORMATION SHARING
We may share your Personal Data or other information about you with others in a variety of ways for
the following reasons:
organizations (either to outsource important functions or to enhance the quality of the
service.) These third parties may include (without limitation) IT support teams, banks,
exchange facilities having control or jurisdiction over us and electronic search providers
carrying out anti-money laundering and sanction checks for us. In the course of these
arrangements, the Company may disclose Client data to such third party service providers
so that they can provide the services they were engaged to provide.
relation to send and receive transactions, will be made available to other OROPAY Clients in
the course of either sending or receiving payments. For Merchants, OROPAY will also show
URL information as well as other merchant contact information provided. This information
as well as potentially additional information may be shared with third parties when the
OROPAY service is accessed through the third parties’ interface. For purchase transactions,
OROPAY may provide the seller with the Client’s delivery address for order fulfillment and
delivery purposes, and the buyer with the return address of the seller in case the goods have
to be returned.
at our direction and on our behalf such as services to verify your identity, assist in
processing transactions, send you advertisements for our products and services or provide
customer support.
holder of a power of attorney that you grant, or a guardian appointed for you).
as permitted or required by law, including:
including if you authorise an account connection with a third-party account or platform.
In addition, OROPAY may provide aggregated statistical data to third-parties, including
other businesses and members of the public, about how, when, and why Users visit our Site
and use our Services. This data will not personally identify you or provide information about
your use of the Sites or Services. OROPAY will not share the personal information with third
parties for marketing purposes unless the Client provides explicit consent to do so. Any
disclosures of such information will only be provided in line with the provisions of this
Privacy Policy.
INTERNATIONAL TRANSFERS
Our operations are supported by a network of computers, cloud-based servers, and other
infrastructure and information technology, including, but not limited to, third-party service
providers.
The Client acknowledges and agrees that acceptance of this Privacy Policy grants OROPAY the Client’s
consent to transfer personal data to another OROPAY Client who may be located outside the EEA (in
a jurisdiction that may afford less privacy), every time the Client makes a payment or attempts to
make a payment to such non EEA OROPAY Client, as a requirement to process, execute, and provide
payment specific information.
RETENTION OF DATA
Data Keeping period is registered for a specific Department in “GDPR Record of Activities OROPAY
V12020” and may be different for different categories of data. In line with current legislation the data
retention period is respectively 5 and 7 years as follows:
monitoring, activity records etc. the retention period shall be 5 years;
years;
years.
SECURITY OF INFORMATION
Security of Client information is of outmost importance to OROPAY, which has adopted commercially
reasonable standards to ensure that the personal information is protected. OROPAY uses a range of
safeguards to insulate information from unauthorized access. Technology barriers include data
encryption tools, and a combination of Next – Generation Firewall (NGFW), General Intrusion
Prevention System (GIPS) and Active Management Technology (AMT) as a fence against potential
intruders.
Of course, OROPAY needs its Clients’ contribution to achieve the high level of security and protection
it aspires to reach. Without the Client’s password protection, intrusion measures are only that much
effective, and OROPAY asks its Clients to protect their password and not divulge or expose such
information to anyone. OROPAY representatives will never ask you for your password and neither
will any email communication received from OROPAY will ever ask you to enter or provide such
password information. Any email received requesting such information should be treated as
suspicious and unauthorized. OROPAY would like to be informed of such unauthorized emails and
asks its Clients to forward such emails to customer support at support@oropay.com and then
disregard and delete them.
Where a Client provides a third person with the password to access the account, the Client
acknowledges that the account is at risk and takes full responsibility for any actions the third party
takes when accessing the account. If a Client believes that such access was never granted
intentionally, and that the third party obtained unauthorized access to the account, OROPAY asks the
Client to change the password immediately and contact OROPAY Support. If the Client is unable to
change password by accessing your account, he/she can immediately contact OROPAY support,
inform them of the inability, and have one of the customer support staff reset the password.
YOUR RIGHTS AND PRIVACY CHOICES
Rights relating to the Personal Data We Collect
Personal Data: You may decline to provide Personal Data when it is requested by OROPAY, but
certain Services or all of the Services may be unavailable to you.
Location and other device-level information: The device you use to access the Site or Services may
collect information about you, including Geolocation Information and User usage data that OROPAY
may then collect and use. For information about your ability to restrict the collection and use of such
information, please use the settings available in the device.
Rights to Access:
You have the right to request copies of the personal information we hold about you.
Information must be provided without delay and at the latest within one month of receipt of your
request. OROPAY will be able to extend the period by a further two months where requests are
complex or numerous. If this is the case, we will inform you within one month of the receipt of the
request and explain why the extension is necessary.
OROPAY will provide a copy of the information free of charge. However, we can charge a “reasonable
fee” when a request is repetitive.
The fee if applied will be based on the administrative cost of providing the information.
If at any time, OROPAY refuse to respond to a request, we will explain the reasons to you, informing
you of your right to complain to the supervisory authority and to a judicial remedy without undue
delay and at the latest within one month.
Right for rectification
Users are entitled to have personal data rectified if it is inaccurate or incomplete.
Before we update your file, we may need to check the accuracy of the new information you have
provided.
If we have disclosed the personal data in question to others, we will contact each recipient and inform
them of the rectification – unless this proves impossible or involves disproportionate effort.
Upon the receipt of your request for rectification of your personal data, OROPAY shall respond within
one month. This can be extended by two months where the request for rectification is complex.
Where OROPAY is not taking action in response to a request for rectification, we will explain the
reasons to you, informing you of your right to complain to the supervisory authority and to a judicial
remedy as required to do so by the General Data Protection Regulation (GDPR).
Right to erasure
You can ask us to delete your personal information if:
withdrawn that consent;.
There are some specific circumstances where the right to erasure does not apply and OROPAY
can refuse to deal with a request.
OROPAY can refuse to comply with a request for erasure where the personal data is processed for
the following reasons:
exercise of official authority;
Right to object:
You have the right to object to us:
the public interest/exercise of official authority (however, if there is an overriding reason
why we need to use the information i.e. legal reasons, we will not accept your request);
Right to restrict processing:
You can ask us to suspend using your personal data in the following circumstances if:
the personal data.
interest task or purpose of legitimate interests), and we are considering whether we have an
overriding reason to use it.
instead;
connection with a legal claim;
Right to data portability:
The right to data portability allows individuals to obtain and reuse their personal data for their own
purposes across different services. If we are allowed to do so under regulatory requirements,
OROPAY upon your request will transfer your personal information to you in a commonly used,
machine-readable format.
We will stop processing the personal data unless:
interests, rights and freedoms of the User; or
CONTACT US
Clients who wish to know more about this Privacy Policy and receive information on how they can
access their personal information as well as ask any specific questions in relation to this Privacy
Policy, are encouraged to contact our appointed Data Protection Officer either by phone or email
(DPO) as follows:
Data Protection Officer of OROPAY:
9 Agiou Athanasiou Avenue, Linopetra, Limassol, 4102
+357 25 752110
Email: data@oropay.com
If you are not satisfied by the way in which we address your concerns, you have the right to lodge a
complaint with the Supervisory Authority for data protection.
Cyprus Data Protection Commissioner;
Office of the Commissioner for Personal Data Protection
1 Iasonos str., 1082 Nicosia
P.O.Box 23378, 1682 Nicosia
Tel: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy
Contact details of the Data Protection Officer (DPO) of the Commissioner’s Office
Email: dpo@dataprotection.gov.cy