“Controller” shall mean OROPAY;
“Personal Data” or “Information” shall mean any information relating to an identified or identifiable User including legal persons such as Merchant entities and which will be provided in relation to receiving the OROPAY services. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
“Personal Data Filing System” or “Filing System” shall mean the OROPAY system where the personal data of the User is stored;
“Policy Update” shall mean any notice given to the User in relation to policy changes prior to them taking effect;
“Processing of Personal Data” or “Processing” shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
“Processor” shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of OROPAY;
“Third Party” shall mean any natural or legal person, public authority, agency or any other body other than the User, OROPAY, and the persons who, under the direct authority of OROPAY, are authorized to process the data;
“Recipient” shall mean a natural or legal person, public authority, agency or any other body to whom data are disclosed, whether a third party or not; however, authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients;
“the User’s Consent” shall mean any freely given specific and informed indication of his wishes by which the User signifies his agreement to personal data relating to him being processed.
OROPAY will not sell, lease, or otherwise distribute any of the User’s information to third parties for marketing purposes unless the User explicitly consents to such sale, lease or distribution. This does not preclude OROPAY from providing third parties such information that may be needed to enhance the User experience or to simply offer certain services to the User, and in such instances OROPAY will take every commercially reasonable precaution to safeguard the interests of the User from any misuse of his personal data by the third party. Information to third parties will be provided under strict restrictions as those are described in the “Information Sharing” section of this policy.
OROPAY will not sell, purchase, provide, exchange or in any other manner disclose Account or Transaction data, or personal information of or about a Cardholder to anyone, except, it’s Acquirer, Visa/Mastercard Corporations or in response to valid government demands.
Persons under the age of 18 are not eligible to use the OROPAY services. We do not knowingly collect information, including Personal Data, from children or other individuals who are not legally able to use our Sites and Services. If we obtain actual knowledge that we have collected Personal Data from a child under the age of majority, we will promptly delete it, unless we are legally obligated to retain such data. Contact us if you believe that we have mistakenly or unintentionally collected information from a child under the age of majority.
We collect Personal Data about you when you visit our Site or use our Services, including the following:
Registration and use information: during the registration process OROPAY requires you to provide verifiable information, such as but not limited to:
OROPAY may require you to provide us with additional Personal Data as you use our Services.
Additional Client Information: For certain high value transactions, or for high overall transaction volumes performed through the User’s OROPAY account, or as is otherwise required for OROPAY to be compliant with its anti-money laundering obligations under European law, OROPAY will require additional identification information and for legal entities commercial information.
OROPAY may use a variety of information sources that do not violate any personal information privacy rules, in its merchant assessment process. It may also request additional information from Clients if it is unable to verify the identity their identity with the personal data in hand, or if the Client requests to redeem the e-money to an account other than the funding source accounts it provided when entering into the Agreement with OROPAY.
Client provided information may be verified with third party providers such as but not limited to payment processors as a measure to enhance the Users’ protection. Such verification may involve the receipt and processing of information that will verify the Client’s identity. Where a legal entity (merchant or user) is involved with limited operational history, and/or in cases of high value transactions or overall high-volume transactions, OROPAY will conduct enhanced due diligence that will involve background checks (including credit and judicial) of the legal entity to ascertain its business operations status. Such background checks may also include the legal entity’s ultimate beneficial owner(s) as well as its directors (as the law of the jurisdiction may permit). OROPAY may also elect to collect information that is publicly available over the internet or through social media platforms, in an attempt to create a more holistic profile of the merchant’s business that may include but not be limited to market positioning, reputation, target market and customer base. The profile will be used to confirm the transaction volume and size.
Information on transactions: OROPAY will also ask the Client to provide information relevant to the transaction when sending or asking to receive money from another party. Such information will include a description of the transaction and the amount. When sending money to another OROPAY client, the Client will be asked to provide additional personal information of the receiving client in order to verify the recipient and the sending client may be asked to provide additional personal data to the recipient for the recipient to be able to identify the sender and accept the transaction.
Information from your device: In order to offer its services, OROPAY may collect and store sign on data from the device the Client uses to enroll or to access their account that may uniquely identify the device (such as device ID), as well the device’s geographical location (and by extension its User). Such information may be collected irrespective of the type of device used or the connectivity method (wired or wireless, Wi- Fi or mobile). OROPAY will collect Client IP information and other information that will assist it in detecting potentially unauthorized transactions in an effort to protect Client interests.
Records of our discussions: All communication between the Client and OROPAY will be recorded and retained for reference purposes when and if required by the Company or the regulatory authority that supervises the operations. In cases where personal information may be collected with the use of optional collection methods such as survey questionnaires and special offers for the creation of a demographic profile and/or assessment of Client specific interests, OROPAY will inform you how the information may be used before the Client decides to participate.
Information collected from Clients are primarily used for the provision of the OROPAY services in a manner that OROPAY deems fit to enhance the Client experience by making it safer, more targeted, efficient and effective.
The Client acknowledges and agrees that personal information provided for the OROPAY service (in the beginning and during the course of the relationship), can be used by OROPAY to predominantly:
OROPAY may communicate with its clients regularly through direct email communication and through general announcements/postings on its website. It also reaches Clients via telephone for even more direct communication for a variety of reasons including but not limited to:
OROPAY will contact the Client via email to confirm account opening, to send transaction confirmation notices as well as service notices, including product and service changes, changes in the terms and conditions of the Agreement as well as regulatory disclosures and information required by applicable law. These email notifications are compulsory and the Client has no option to stop receiving them.
OROPAY will also send other email notifications which are of a promotional or general information nature, such as news and third party promotions, and are therefore not compulsory giving Clients the option to stop receiving them. The option to receive or stop such email communication can be managed through the Client’s online account interface, or alternatively by contacting one of OROPAY’s representatives and asking them to opt-out of such email service. SMS may also be used as an alternative to email and in such instances it should be deemed as if the communication was by email and treated in the same manner.
Information may also be provided to the OROPAY auditors who may request such information in the course of reconciliation exercises and for the purpose of contacting clients to confirm the accuracy of OROPAY’s records.
We may share your Personal Data or other information about you with others in a variety of ways for the following reasons:
Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, third-party service providers.
Data Keeping period is registered for a specific Department in “GDPR Record of Activities OROPAY V12020” and may be different for different categories of data. In line with current legislation the data retention period is respectively 5 and 7 years as follows:
Security of Client information is of outmost importance to OROPAY, which has adopted commercially reasonable standards to ensure that the personal information is protected. OROPAY uses a range of safeguards to insulate information from unauthorized access. Technology barriers include data encryption tools, and a combination of Next - Generation Firewall (NGFW), General Intrusion Prevention System (GIPS) and Active Management Technology (AMT) as a fence against potential intruders.
Of course, OROPAY needs its Clients’ contribution to achieve the high level of security and protection it aspires to reach. Without the Client’s password protection, intrusion measures are only that much effective, and OROPAY asks its Clients to protect their password and not divulge or expose such information to anyone. OROPAY representatives will never ask you for your password and neither will any email communication received from OROPAY will ever ask you to enter or provide such password information. Any email received requesting such information should be treated as suspicious and unauthorized. OROPAY would like to be informed of such unauthorized emails and asks its Clients to forward such emails to customer support at [email protected] and then disregard and delete them.
Where a Client provides a third person with the password to access the account, the Client acknowledges that the account is at risk and takes full responsibility for any actions the third party takes when accessing the account. If a Client believes that such access was never granted intentionally, and that the third party obtained unauthorized access to the account, OROPAY asks the Client to change the password immediately and contact OROPAY Support. If the Client is unable to change password by accessing your account, he/she can immediately contact OROPAY support, inform them of the inability, and have one of the customer support staff reset the password.
Rights relating to the Personal Data We Collect
Personal Data: You may decline to provide Personal Data when it is requested by OROPAY, but certain Services or all of the Services may be unavailable to you.
Location and other device-level information: The device you use to access the Site or Services may collect information about you, including Geolocation Information and User usage data that OROPAY may then collect and use. For information about your ability to restrict the collection and use of such information, please use the settings available in the device.
Rights to Access:
You have the right to request copies of the personal information we hold about you.
Information must be provided without delay and at the latest within one month of receipt of your request. OROPAY will be able to extend the period by a further two months where requests are complex or numerous. If this is the case, we will inform you within one month of the receipt of the request and explain why the extension is necessary.
OROPAY will provide a copy of the information free of charge. However, we can charge a “reasonable fee” when a request is repetitive.
The fee if applied will be based on the administrative cost of providing the information.
If at any time, OROPAY refuse to respond to a request, we will explain the reasons to you, informing you of your right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
Right for rectification
Users are entitled to have personal data rectified if it is inaccurate or incomplete.
Before we update your file, we may need to check the accuracy of the new information you have provided.
If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the rectification – unless this proves impossible or involves disproportionate effort.
Upon the receipt of your request for rectification of your personal data, OROPAY shall respond within one month. This can be extended by two months where the request for rectification is complex.
Where OROPAY is not taking action in response to a request for rectification, we will explain the reasons to you, informing you of your right to complain to the supervisory authority and to a judicial remedy as required to do so by the General Data Protection Regulation (GDPR).
Right to erasure
You can ask us to delete your personal information if:
There are some specific circumstances where the right to erasure does not apply and OROPAY can refuse to deal with a request.
OROPAY can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
Right to object:
You have the right to object to us:
Right to restrict processing
You can ask us to suspend using your personal data in the following circumstances if:
Right to data portability:
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. If we are allowed to do so under regulatory requirements, OROPAY upon your request will transfer your personal information to you in a commonly used, machine-readable format.
We will stop processing the personal data unless:
9 Agiou Athanasiou Avenue, Linopetra, Limassol, 4102
Email: [email protected]
If you are not satisfied by the way in which we address your concerns, you have the right to lodge a complaint with the Supervisory Authority for data protection.
Office of the Commissioner for Personal Data Protection
1 Iasonos str., 1082 Nicosia
P.O.Box 23378, 1682 Nicosia
Tel: +357 22818456
Fax: +357 22304565
Email: [email protected]
Contact details of the Data Protection Officer (DPO) of the Commissioner’s Office
Email: [email protected]