This Privacy Policy rules the User’s (“Client” or “Merchant” or “You” or “Your”) use of products, services, technology, and content, offered by OROPAY (or the “Company” or “We”) through its platform, website and any other feature that collectively constitute the OROPAY services offering. It also governs without limitation the provision and use of the User’s personal data and information in relation to the provided services.

As a User, by entering into an agreement with OROPAY, setup your account, access or use any of the services, you accept and consent to this Privacy Policy, and by doing so you consent to the use and disclosure of your personal information by OROPAY as provided for herein.

Please contact us if you have questions about our privacy practices that are not addressed in this Privacy Policy.


“Controller” shall mean OROPAY;

“Personal Data” or “Information” shall mean any information relating to an identified or identifiable User including legal persons such as Merchant entities and which will be provided in relation to receiving the OROPAY services. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

“Personal Data Filing System” or “Filing System” shall mean the OROPAY system where the personal data of the User is stored;

“Policy Update” shall mean any notice given to the User in relation to policy changes prior to them taking effect;

“Processing of Personal Data” or “Processing” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

“Processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of OROPAY;

“Third Party” shall mean any natural or legal person, public authority, agency or any other body other than the User, OROPAY, and the persons who, under the direct authority of OROPAY, are authorized to process the data;

“Recipient” shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;

“the User’s Consent” shall mean any freely given specific and informed indication of his wishes by which the User signifies his agreement to personal data relating to him being processed.


OROPAY has developed this Privacy Policy, in accordance with the requirements set out in the EU 2016/679 General Data Protection Regulation, to explain how we may collect, retain, process, share and transfer your Personal Data when you visit our Site or use our Services.

OROPAY will not sell, lease, or otherwise distribute any of the User’s information to third parties for marketing purposes unless the User explicitly consents to such sale, lease or distribution. This does not preclude OROPAY from providing third parties such information that may be needed to enhance the User experience or to simply offer certain services to the User, and in such instances OROPAY will take every commercially reasonable precaution to safeguard the interests of the User from any misuse of his personal data by the third party. Information to third parties will be provided under strict restrictions as those are described in the “Information Sharing” section of this policy.

The Privacy Policy may be amended from time to time at OROPAY’s sole discretion and as required by applicable laws and regulation. The amended version of the Privacy Policy will be posted on the OROPAY website ( and will be deemed as received by all Users. If the revised version includes a substantial change, we will provide you with 30 days prior notice (prior to the changes taking effect) either by posting such notice in an accessible area on the OROPAY website ( and/or by sending an email notice to all Users, as per clause 2.12 of Terms & Conditions of Service (General Client Agreement) posted online on OROPAY website (and as amended from time to time).

This Privacy Policy does not cover any third party websites whose access and use is governed by their own privacy policies. OROPAY may provide links to such websites and the User acknowledges that the provision of such links for access to such third party websites, do not make OROPAY responsible for their operations and use of personal information practices. OROPAY strongly recommends to its Users to carefully review the privacy policies of such third party websites prior to submitting any personal information.

Persons under the age of 18 are not eligible to use the OROPAY services. We do not knowingly collect information, including Personal Data, from children or other individuals who are not legally able to use our Sites and Services. If we obtain actual knowledge that we have collected Personal Data from a child under the age of majority, we will promptly delete it, unless we are legally obligated to retain such data. Contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of majority.


We collect Personal Data about you when you visit our Site or use our Services, including the following:

Registration and use information: during the registration process OROPAY requires you to provide verifiable information, such as but not limited to:

OROPAY may require you to provide us with additional Personal Data as you use our Services.

Additional Client Information: For certain high value transactions, or for high overall transaction volumes performed through the User’s OROPAY account, or as is otherwise required for OROPAY to be compliant with its anti-money laundering obligations under European law, OROPAY will require additional identification information and for legal entities commercial information.

OROPAY may use a variety of information sources that do not violate any personal information privacy rules, in its merchant assessment process. It may also request additional information from Clients if it is unable to verify the identity their identity with the personal data in hand, or if the Client requests to redeem the e-money to an account other than the funding source accounts it provided when entering into the Agreement with OROPAY.

Client provided information may be verified with third party providers such as but not limited to payment processors as a measure to enhance the Users’ protection. Such verification may involve the receipt and processing of information that will verify the Client’s identity. Where a legal entity (merchant or user) is involved with limited operational history, and/or in cases of high value transactions or overall high-volume transactions, OROPAY will conduct enhanced due diligence that will involve background checks (including credit and judicial) of the legal entity to ascertain its business operations status. Such background checks may also include the legal entity’s ultimate beneficial owner(s) as well as its directors (as the law of the jurisdiction may permit). OROPAY may also elect to collect information that is publicly available over the internet or through social media platforms, in an attempt to create a more holistic profile of the merchant’s business that may include but not be limited to market positioning, reputation, target market and customer base. The profile will be used to confirm the transaction volume and size.

Information on transactions: OROPAY will also ask the Client to provide information relevant to the transaction when sending or asking to receive money from another party. Such information will include a description of the transaction and the amount. When sending money to another OROPAY client, the Client will be asked to provide additional personal information of the receiving client in order to verify the recipient and the sending client may be asked to provide additional personal data to the recipient for the recipient to be able to identify the sender and accept the transaction.

Information from your device: In order to offer its services, OROPAY may collect and store sign on data from the device the Client uses to enroll or to access their account that may uniquely identify the device (such as device ID), as well the device’s geographical location (and by extension its User). Such information may be collected irrespective of the type of device used or the connectivity method (wired or wireless, Wi- Fi or mobile). OROPAY will collect Client IP information and other information that will assist it in detecting potentially unauthorized transactions in an effort to protect Client interests.

Information about your visit: OROPAY will also collect information that relates to the Client’s OROPAY website access and includes but is not limited to visiting and leaving the website, the OROPAY website page browsing history, the Client’s IP address of where the website was accessed, the time that was accessed and any other websites visited through links on OROPAY’s website. OROPAY will also use small data files such as cookies, and place them on the Client’s device in an effort to enhance and personalize the Client experience, as well as to strengthen the security measures taken to protect the Client’s account by mitigating the risk of fraud. OROPAY has developed its own Cookie Policy that can be accessed via the OROPAY website ( by all visitors (both registered users and guests). All OROPAY website visitors have the right to accept or decline the Cookie Policy. OROPAY cannot guarantee that the browsing of its website and/or the access to the OROPAY services will be seamless and problem free if the Cookie Policy is declined.

Records of our discussions: All communication between the Client and OROPAY will be recorded and retained for reference purposes when and if required by the Company or the regulatory authority that supervises the operations. In cases where personal information may be collected with the use of optional collection methods such as survey questionnaires and special offers for the creation of a demographic profile and/or assessment of Client specific interests, OROPAY will inform you how the information may be used before the Client decides to participate.

All information procured during the account opening process, including the information used for verification of the information, the device specific and location information collected during the accessing of the website and the Client’s account, the information relating to the payment and commercial transactions as well as any Client reports or statements generated, the Client account preferences and any correspondence between the Client and OROPAY will constitute the Account Information that relate to the Client for the purposes of this Privacy Policy.


Information collected from Clients are primarily used for the provision of the OROPAY services in a manner that OROPAY deems fit to enhance the Client experience by making it safer, more targeted, efficient and effective.

The Client acknowledges and agrees that personal information provided for the OROPAY service (in the beginning and during the course of the relationship), can be used by OROPAY to predominantly:

OROPAY may communicate with its clients regularly through direct email communication and through general announcements/postings on its website. It also reaches Clients via telephone for even more direct communication for a variety of reasons including but not limited to:

OROPAY will contact the Client via email to confirm account opening, to send transaction confirmation notices as well as service notices, including product and service changes, changes in the terms and conditions of the Agreement as well as regulatory disclosures and information required by applicable law. These email notifications are compulsory and the Client has no option to stop receiving them.

OROPAY will also send other email notifications which are of a promotional or general information nature, such as news and third party promotions, and are therefore not compulsory giving Clients the option to stop receiving them. The option to receive or stop such email communication can be managed through the Client’s online account interface, or alternatively by contacting one of OROPAY’s representatives and asking them to opt-out of such email service. SMS may also be used as an alternative to email and in such instances it should be deemed as if the communication was by email and treated in the same manner.

Information may also be provided to the OROPAY auditors who may request such information in the course of reconciliation exercises and for the purpose of contacting clients to confirm the accuracy of OROPAY’s records.


We may share your Personal Data or other information about you with others in a variety of ways for the following reasons:

- In order to offer our services, the Company deals with third party service providers and organisations (either to outsource important functions or to enhance the quality of the service.) These third parties may include (without limitation) IT support teams, banks, exchange facilities having control or jurisdiction over us and electronic search providers carrying out anti-money laundering and sanction checks for us. In the course of these arrangements, the Company may disclose Client data to such third party service providers so that they can provide the services they were engaged to provide.

- Information collected from the Client as a registered user of OROPAY’s services and in relation to send and receive transactions, will be made available to other OROPAY Clients in the course of either sending or receiving payments. For Merchants, OROPAY will also show URL information as well as other merchant contact information provided. This information as well as potentially additional information may be shared with third parties when the OROPAY service is accessed through the third parties’ interface. For purchase transactions, OROPAY may provide the seller with the Client’s delivery address for order fulfillment and delivery purposes, and the buyer with the return address of the seller in case the goods have to be returned.

- We may share your Personal Data with our employees that perform services and functions at our direction and on our behalf such as services to verify your identity, assist in processing transactions, send you advertisements for our products and services or provide customer support.

- We may disclose necessary information to your agent or legal representative (such as the holder of a power of attorney that you grant, or a guardian appointed for you).

- We may share information about you with other parties for OROPAY’s business purposes or as permitted or required by law, including:

- We will also share your Personal Data and other information with your consent or direction, including if you authorise an account connection with a third-party account or platform.

In addition, OROPAY may provide aggregated statistical data to third-parties, including other businesses and members of the public, about how, when, and why Users visit our Site and use our Services. This data will not personally identify you or provide information about your use of the Sites or Services. OROPAY will not share the personal information with third parties for marketing purposes unless the Client provides explicit consent to do so. Any disclosures of such information will only be provided in line with the provisions of this Privacy Policy.


Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, third-party service providers.

The Client acknowledges and agrees that acceptance of this Privacy Policy grants OROPAY the Client’s consent to transfer personal data to another OROPAY Client who may be located outside the EEA (in a jurisdiction that may afford less privacy), every time the Client makes a payment or attempts to make a payment to such non EEA OROPAY Client, as a requirement to process, execute, and provide payment specific information.


Data Keeping period is registered for a specific Department in “GDPR Record of Activities OROPAY V12020” and may be different for different categories of data. In line with current legislation the data retention period is respectively 5 and 7 years as follows:


Security of Client information is of outmost importance to OROPAY, which has adopted commercially reasonable standards to ensure that the personal information is protected. OROPAY uses a range of safeguards to insulate information from unauthorized access. Technology barriers include data encryption tools, and a combination of Next - Generation Firewall (NGFW), General Intrusion Prevention System (GIPS) and Active Management Technology (AMT) as a fence against potential intruders.

Of course, OROPAY needs its Clients’ contribution to achieve the high level of security and protection it aspires to reach. Without the Client’s password protection, intrusion measures are only that much effective, and OROPAY asks its Clients to protect their password and not divulge or expose such information to anyone. OROPAY representatives will never ask you for your password and neither will any email communication received from OROPAY will ever ask you to enter or provide such password information. Any email received requesting such information should be treated as suspicious and unauthorized. OROPAY would like to be informed of such unauthorized emails and asks its Clients to forward such emails to customer support at and then disregard and delete them.

Where a Client provides a third person with the password to access the account, the Client acknowledges that the account is at risk and takes full responsibility for any actions the third party takes when accessing the account. If a Client believes that such access was never granted intentionally, and that the third party obtained unauthorized access to the account, OROPAY asks the Client to change the password immediately and contact OROPAY Support. If the Client is unable to change password by accessing your account, he/she can immediately contact OROPAY support, inform them of the inability, and have one of the customer support staff reset the password.


Rights relating to the Personal Data We Collect

Personal Data: You may decline to provide Personal Data when it is requested by OROPAY, but certain Services or all of the Services may be unavailable to you.

Location and other device-level information: The device you use to access the Site or Services may collect information about you, including Geolocation Information and User usage data that OROPAY may then collect and use. For information about your ability to restrict the collection and use of such information, please use the settings available in the device.

Rights to Access:

You have the right to request copies of the personal information we hold about you.

Information must be provided without delay and at the latest within one month of receipt of your request. OROPAY will be able to extend the period by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.

OROPAY will provide a copy of the information free of charge. However, we can charge a “reasonable fee” when a request is repetitive.

The fee if applied will be based on the administrative cost of providing the information.

If at any time, OROPAY refuse to respond to a request, we will explain the reasons to you, informing you of your right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

Right for rectification

Users are entitled to have personal data rectified if it is inaccurate or incomplete.

Before we update your file, we may need to check the accuracy of the new information you have provided.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort.

Upon the receipt of your request for rectification of your personal data, OROPAY shall respond within one month. This can be extended by two months where the request for rectification is complex.

Where OROPAY is not taking action in response to a request for rectification, we will explain the reasons to you, informing you of your right to complain to the supervisory authority and to a judicial remedy as required to do so by the General Data Protection Regulation (GDPR).

Right to erasure

You can ask us to delete your personal information if:

  • There's no good reason for us to continue using your personal information;
  • You gave to OROPAY consent (permission) to use the information and you have now withdrawn that consent;
  • You have objected to OROPAY to continue using the information;
  • OROPAY has unlawfully processed the information (i.e. otherwise in breach of the GDPR);
  • The personal data has to be erased in order to comply with a legal obligation.

There are some specific circumstances where the right to erasure does not apply and OROPAY can refuse to deal with a request.

OROPAY can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  1. To comply with a legal obligation for the performance of a public interest task or exercise of official authority;
  2. The exercise or defence of legal claims.

Right to object:

You have the right to object to us:

  • Processing other information based on legitimate interests or the performance of a task in the public interest/exercise of official authority (however, if there is an overriding reason why we need to use the information i.e. legal reasons, we will not accept your request);
  • Processing your personal information for marketing purposes (including profiling).

Right to restrict processing

You can ask us to suspend using your personal data in the following circumstances if:

  • You contest the accuracy of the personal data, and you want us to investigate the accuracy of the personal data;
  • You have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether we have an overriding reason to use it;
  • When processing is unlawful, and the individual opposes erasure and requests restriction instead;
  • When we no longer need the information, but you want us to continue holding it for you in connection with a legal claim.

Right to data portability:

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. If we are allowed to do so under regulatory requirements, OROPAY upon your request will transfer your personal information to you in a commonly used, machine-readable format.

We will stop processing the personal data unless:

  1. we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the User; or
  2. the processing is for the establishment, exercise or defence of legal claims.


Clients who wish to know more about this Privacy Policy and receive information on how they can access their personal information as well as ask any specific questions in relation to this Privacy Policy, are encouraged to contact our appointed Data Protection Officer either by phone or email (DPO) as follows:

Data Protection Officer of OROPAY:

9 Agiou Athanasiou Avenue, Linopetra, Limassol, 4102

+357 25 752110


If you are not satisfied by the way in which we address your concerns, you have the right to lodge a complaint with the Supervisory Authority for data protection.

Cyprus Data Protection Commissioner

Office of the Commissioner for Personal Data Protection

1 Iasonos str., 1082 Nicosia

P.O.Box 23378, 1682 Nicosia

Tel: +357 22818456

Fax: +357 22304565


Contact details of the Data Protection Officer (DPO) of the Commissioner’s Office