PRIVACY NOTICE FOR ASTROPAY AS A SERVICE PROVIDER IN Isle of Man.

All rights reserved. This document and the information it contains, or may be extracted from it, is subject to the terms and conditions of the agreement or contract under which the document was supplied to the recipient’s organisation. None of the information contained in this document shall be disclosed outside of the recipient’s own organisation without prior written permission of AstroPay, unless the terms of such agreement expressly allow.

The Isle of Man has implemented the EU General Data Protection Regulation (“GDPR”), and this was achieved using an Order made under a new Data Protection Act 2018 which enables the Isle of Man to bring in EU laws relating to data protection.

New data protection provisions are in a set of regulations which set out all the data protection procedures and powers of the Information Commissioner, called the GDPR and LED Implementation Regulations 2018. GDPR sits alongside the EU’s Law Enforcement Directive (LED), which contains similar provision for organisations processing data for crime prevention, investigation, and law enforcement. This approach ensures that the Island's legislative position is equivalent to the GDPR.

In the event of a conflict between this document and a relevant law or regulation, the relevant law or regulation shall be followed. If the document creates a higher obligation, it shall be followed as long as this also achieves full compliance with the law or regulation.

Use of language

Through out this document, the words ‘may’, ‘should’ and ‘must’ when used in the context of actions of AstroPay or others, have specific meanings as follows:

  1. ‘May’ is used where alternatives are equally acceptable.
  2. ‘Should’ is used where a provision is preferred.
  3. ‘Must’ is used where a provision is mandatory.

Note that alternative or preferred requirements may be qualified by AstroPay in another referenced document.

AstroPay and the companies in which it directly or indirectly owns investments are separate and distinct entities. In this publication, however, the collective expression ‘AstroPay’ and ‘AstroPay Group’ may be used for convenience where reference is made in general to those companies. Likewise, the words ‘we’,‘us’, ‘our’ and ‘ourselves’ are used in some places to refer to the companies of the AstroPay Group in general. These expressions are also used where nouseful purpose is served by identifying any particular AstroPay or companies.

Summary

The purpose of this Privacy Policy (the “Privacy Policy” or “Policy”) is to inform you -data subject- how AstroPay Global (IOM) Limited (“AstroPay”), in its role as controller, processes personal data, establishes the principles that govern AstroPay’s approach to mitigating security risks and how data privacy requirements are addressed.

Review and maintenance

This Policy will be reviewed at least annually. The provisions of this Policy can be amended and supplemented from time to time by the Legal and Compliance Team.

  1. PURPOSE OF THIS POLICY

    1. The purpose of the privacy policy is to inform you how AstroPay processes your personal data. With this policy, we wish to make you aware of the information we collect and process and, if possible, for how long we store it. This privacy policy regulates the processing of personal data by us in connection with trading, interaction, or other exchange of personal data with us.
    2. At AstroPay we understand the importance of treating personal data in a confidential and private manner. AstroPay is committed to following the requirements and obligations in relation to data privacy in accordance with applicable law, including the GDPR. Therefore, we have secure and adequate data processing procedures in place.
  2. CATEGORIES OF PERSONAL DATA, PURPOSE, LEGAL BASIS, RETENTION

    1. AstroPay processes your information for one or more specific purposes and in accordance with the data protection regulations. We process your data if you are a customer with us, when we provide payment services to you, if you have created a digital e-Wallet, if you are contacting us, or if you sign up for our promotional and informative communications, etc. The information will generally come directly from you, and we will only process your information for as long as it is necessary for the purpose for which it was collected.

      Below you can read more about the types of processing we do.

      1. Providing payment services to you as a user
        When you use our payment services as a user, we process data about you to provide you with our services. This may include setting up your digital e-Wallet, paying and collecting on online sites, depositing and withdrawing money, transferring money, collecting money with payment links, purchasing, sending and using gift cards or vouchers, creating debit cards, registering and using our mobile AstroPay app, increasing your spending limits, and contacting us about our services in general.

        To provide you with our services, we may need to process data about your full name, address, phone no., email address, IP address and date of birth. When we need to verify your identity before providing our services, we may also need to process data about your gender, nationality, passport issuing country, principal citizenship country, passport number, and your previous residency address if the residency address has changed in the last 3 years. If you want to make a limit increase as a part of a loyalty level program, you as a user have to send ID documents and a bank statement or proof of income or use one of our third-party validators to confirm that you have the spending capacity to increase the limits.

        We process data about you to enter into an agreement with you as a user of our services (GDPR Article 6(1)(b)). When we need to verify your identity, we may process the data based on our legal obligations as a payment provider (GDPR Article 6(1)(c)) with the anti-money laundering regulations. You can read more about this processing below. We may also process data about you for security related reasons based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (GDPR Article 6(1)(f)).

        The data primarily comes directly from you as a user of our services. In some cases, the data may also come from a merchant of our services.

        We delete the information on an ongoing basis, however at the latest 6 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 6 years after the end of the customer relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider.
      2. Providing payment services to you as a merchant

        When signing up as a merchant with us, we may process data about you as contact person and about the business you represent. This includes data about your first and last name, email address, phone no., Skype username, company name, website, industry, total payment volume (TPV) and any message you may leave together with your submission.

        When you use our payment services as a merchant, we process data about you to provide you with our services. This may include setting up your digital e-Wallet or Crypto wallet, paying and collecting on online sites, depositing and withdrawing money, transferring money, collecting money with payment links, purchasing, sending and using gift cards or vouchers, creating debit cards, registering and using our mobile AstroPay app, increasing the spending limits for your user(s), and contacting us about our services in general.

        To provide you with our services as a merchant, we may need to process data about your company name, company contact name, company email address, company operating address, company registered address, company telephone no. (direct), company website, list of registered company directors, list of company shareholders > 25%, industry type/classification, company registration certificate, company address and proof, company bank details and statements, length of time trading, business description, bank name, bank address, bank sort code, bank account number, IBAN/BIC, annual turnover, average transaction value and peak months.

        We process data about you to enter into an agreement with you as a merchant of our services (GDPR Article 6(1)(b)). When we need to verify your identity and or business credentials, we may process the data based on our legal obligations as a payment provider (GDPR Article 6(1)(c)) with the anti-money laundering regulations. You can read more about this processing below. We may also process data about you for security related reasons based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (GDPR Article 6(1)(f)).

        We delete the information on an ongoing basis, however at the latest 6 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 6 years after the end of the customer relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider.
      3. Processing data on you as a reseller

        When you sign up to get contacted by an advisor to become an official AstroPay distributor (reseller), we may need to process data about your name, email address, phone no., country and any message you may leave together with your submission.

        We process data about you to enter into an agreement with you as a reseller of our services (GDPR Article 6(1)(b)). When we need to verify your identity and or business credentials, we may process the data based on our legal obligations as a payment provider (GDPR Article 6(1)(c)) with the anti-money laundering regulations. You can read more about this processing below. We may also process data about you for security related reasons based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (GDPR Article 6(1)(f)).

        We delete the information on an ongoing basis, however at the latest 6 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 6 years after the end of the reseller relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider.
      4. Processing data on you as an affiliate

        When you fill out the contact form to get contacted by AstroPay as an affiliate candidate, we may process data about your name, email address, phone no., country, Skype username, company name, website and industry.

        We process data about you to enter into an agreement with you as an affiliate of our services (GDPR Article 6(1)(b)). When we need to verify your identity and or business credentials, we may process the data based on our legal obligations as a payment provider (GDPR Article 6(1)(c)) with the anti-money laundering regulations. You can read more about this processing below. We may also process data about you for security related reasons based on our legitimate interest in keeping our users and services secure, and in general to keep in contact with you (GDPR Article 6(1)(f)).

        We delete the information on an ongoing basis, however at the latest 6 years after your last use of our services or interaction with us. Data related to payment transactions may be stored for the current financial year plus 6 years after the end of the affiliate relationship in accordance with local bookkeeping regulations and our obligations as a payment service provider.
      5. Anti-money laundering procedures

        As a financial payment provider, we may be required by national legislation to have so-called Customer Due Diligence (CDD) or Know-Your-Costumer (KYD) verification procedures in place to prevent money laundering or terrorism financing activities via our services.

        As such, when we onboard you as a physical user, merchant, reseller or affiliate for the use of our services, we may need to collect data about you to verify your identity. This data may include your full name, place and date of birth, permanent residential address, identity reference number or tax reference number, nationality, phone no., email address, unexpired national or other government-issued identity card, passport, driver’s licence, data about politically exposed persons (PEP) and family relations or business relations to PEP and descriptions of unusual or suspicious situations or transactions.

        If you are a business or legal person or is representing a business or other legal person, we may need to collect data about your business or legal person to verify its identity or ultimate beneficial owners. This data may include the business’ full name, company registration number, date of incorporation or registration, registered address or principal place of business.

        In cases where AstroPay finds an activity or transaction unusual or suspicious, and may be involved with money laundering, AstroPay is required to send information about the transaction to the national anti-money laundering authorities and other competent authorities.

        The data used to verify your identity or your business’ identity is processed by us based on our legal obligation to comply with the anti-money laundering and counter-terrorism regulations to which we, as a controller, are subject (GDPR Article 6(1)(c)). We may also process data about you for security related reasons based on our legitimate interest in keeping our customers and services secure (GDPR Article 6(1)(f)).

        The data obtained for the identification procedures, including copies of documents, is kept by us for up to 10 years in accordance with the anti-money laundering regulations. We keep the background data, including the original documents (or legalised copy), of the transactions or situations classified as unusual or suspicious, for at least 5 years or up to such a period as may be required by the relevant national regulations and national financial supervisory authorities’ guidelines, which may be up to 10 years.
      6. Transaction monitoring and fraud prevention

        To prevent fraudulent use of our services or other criminal activities, we may collect statistical data to monitor transactions from time to time in accordance with our obligations as a financial payment provider set out by the relevant national financial supervisory authorities.

        As part of our transactional monitoring and fraud prevention activities, we may collect and process the following types of data: any unusually high transaction amounts, previous spending patterns, approved and accepted merchants, level of declines, splitting of transactions to gain an authorisation, the country of spending, IP address of purchase, average consumption per user, rejected transactions, times, dates and spread of transactions, login/registration information (IP address of login, user-agent, email address, passwords), name, gender, date of birth, address, country, phone no., use of VPN or Proxy, ID, and proof of address.

        The data collected to monitor transactions and to prevent fraudulent use of our services is processed by us based on our legal obligation to comply with the to which we, as a controller, are subject (GDPR Article 6(1)(c)). We may also process data about you for security related reasons based on our legitimate interest in keeping our customers and services secure (GDPR Article 6(1)(f)).

        We store relevant contact and identification information as part of our collaboration and our fraud prevention obligations as a financial payment provider. We delete the information continuously, however information required to comply with our obligations as a financial payment provider may be stored for up to 6 years.
      7. Optimisation of our services

        As part of our ongoing efforts to further develop and optimise our payment services, we wish to collect and use a variety of data points for analytical purposes to learn how our users and customers interact with our services. These data points may be collected when you sign up for or use our services and via cookies.

        The data we may collect in this regard include your full name, gender, ID, birth date, company, address, country, phone no., email address, IP address, account information, payment information,  transaction history,  obfuscated card no., purchase patterns, type of user, service used, dates, type of transaction, amount of the transaction and application logs.

        The above data points are typically anonymised or aggregated before they are used in our data analysis. In case we need to process your personal data directly for the above purposes, we will collect your explicit consent prior to our processing (GDPR Article 6(1)(a)) when we deliver our services to you. You can withdraw this consent at any time. We may also process data on your preferences and interactivity with our services based on our legitimate interest to optimise our services and providing a better service to you if this does not conflict with your interests and fundamental rights and freedoms (GDPR Article 6(1)(f)).

        We retain any non-anonymised or non-aggregated data about you for a maximum of 3 years before they are deleted or anonymised.
      8. Notifications and promos

        If you have signed up for our promotional or operational notifications or other communications, we need to process your data when we send out notifications and other communication initiatives. We only process data about your name, country, phone no. and email address.

        We also hold certain promotional events, or “promos” or “draws”, that you can participate in to win prices. To participate, we may ask you to sign up to our services via the AstroPay app via a promotional code, by depositing money with your AstroPay account, or a third option depending on the circumstances of the promotional event. We may need to process data on your account information to verify your credentials, such as your full name, address, phone no., email address, IP address, date of birth, gender, passport, principal citizenship country and passport number.

        We process your data based on your consent (GDPR Article 6(1)(a)). You have the right at any time to withdraw your consent by writing to dataprotection@astropay.com or by unsubscribing via the link that appears in each notification or other communication initiative

        We keep documentation of your consent for 2 years after you have unsubscribed from our notification or communication initiative, as any criminal liability expires after this period. Data related to participation in promos are kept for 3 years.
      9. Suppliers and business partners

        When we enter into agreements with suppliers and business partners, we may process data on you as their contact person. This includes data regarding your name, position, phone no., email address and, if necessary, payment information.

        The data is processed to enter into an agreement with the specific supplier or business partner (GDPR Article 6(1)(b)). If your data as a contact person is not directly involved with the contractual relationship with our supplier or business partner, we may still process your data based on our legitimate interest to communicate effectively with our suppliers and business partners (GDPR Article 6(1)(f)).

        We store relevant contact information as part of our collaboration. Written correspondence is deleted continuously and at the latest up to 6 years to document the relationship with the supplier or business partner. Data required to comply with the local bookkeeping regulations is stored for current financial year plus 6 years.
      10. Support and complaint management

        We collect data about you when providing support services and handling any complaints you may have. The data includes your name, ID, address, email address, phone no., company, position, information related to your complaint, notes on verbal complaints, photos of your payment cards and any additional information that you may send us.

        The data is processed based on our legitimate interest in providing you with our support and handling any complaints you may have in order to improve our customer satisfaction, and to make sure that we resolve any issues you may have (GDPR Article 6(1)(f)).

        We store the data regarding the support of complaint inquiry for as long as we are handling the inquiry, and up to 5 years after the resolution of the complaint or support inquiry.
  3. NOTIFICATION BY STATUTORY PROCESSING

    In cases where we process your personal data based on a legal requirement or an agreement or a claim that must be met to enter into an agreement, you are required to provide us with the data so that we can provide you with our services, fulfil the agreement and invoice you for our services, etc. If you do not want to provide us with the data that we need to comply with our obligations, the consequence may be that we provide or continue providing you with our services or fulfil an agreement with you.
  4. RECIPIENTS OF PERSONAL DATA

    1. We process your personal data with confidentiality, and we generally do not disclose your information with third parties. However, we may disclose your personal data if you have given your consent hereto, when we need to fulfil an agreement with you, if we have a legitimate interest in the disclosure or when we are required to do so by law.
    2. Your personal data can be shared with the following categories of parties:
      • System, software, and hosting providers
      • Payment and card service providers.
      • Support providers.
      • Fraud detection and prevention providers.
      • Social media marketing partners.
      • Financial supervisory authorities.
    3. We may entrust your personal data to our system suppliers who process personal data on our behalf and according to our specific instructions.
    4. In certain cases, your personal data may be transferred to countries outside of the Isle of Man, the United Kingdom or the EU/EEA. AstroPay ensures that such transfer will be carried out in accordance with the applicable data protection laws. This entails that any party outside of the Isle of Man, the United Kingdom or the EU/EEA that will receive your personal data will ensure an adequate level of protection, for example, by entering into the standard contractual clauses (“SCCs”) with AstroPay. AstroPay will ensure the implementation of supplementary safeguards if deemed necessary in the specific case. You may receive a copy of the legal basis for transfers upon request. Please contact dataprotection@astropay.com.
  5. SECURITY MEASURES

    AstroPay maintains technical, physical, and administrative security measures designed to provide protection for users' personal data against loss, misuse, unauthorized access, disclosure, alteration, and deletion. Security measures include firewalls, data encryption, physical access controls to data centers, and authorization controls for information access. The handling of credit card information is more rigorous and follows the parameters of the PCI-DSS standard.

    The user is responsible for protecting and maintaining the confidentiality of passwords, account registration information, or profile; and for ensuring that their personal data with the company is accurate and up to date. AstroPay is not responsible for protecting personal data shared with third parties based on an account connection authorized by the user.

    We protect security during access to our website and application, in transactions, and in information capture through the data encryption process using the Secure Socket Layers (SSL) security protocol, which verifies the authenticity of our website and ensures the integrity and confidentiality of the data during transmission.
  6. RIGHTS

    AstroPay has implemented a number of measures to protect your personal data and ensure your rights. As a data subject, you can exercise the rights listed below. Please note that certain limitations may apply to your ability to exercise these rights, for example, when your right to obtain the information is found to be overwritten by essential considerations of private interests.

    As a data subject you have the following specific rights, unless otherwise exceptionally provided by the data protection legislation: Right to information about processing, Right of access, Right of rectification, Right of erasure (“right to be forgotten”), Right to restriction of processing, Right to data portability, Right to object, Right to complain to the Isle of Man Information Commissioner.

    If you disagree with the way in which AstroPay processes your personal data, you may file a complaint with the Isle of Man Information Commissioner, using the contact details that are available at https://www.inforights.im/. However, we hope that you will contact us first, using the below contact details, so that we may reach agreement.

    Right to withdraw a former consent. If the processing of your personal data is based on your consent, cf. Art. 6(1)(a) of the GDPR, you have the right to withdraw your consent at any time. Please note that your withdrawal does not affect the lawfulness of the previous processing of your personal data which until your withdrawal has been based on your consent. If you wish to exercise any of the above-mentioned rights, or if you wish to withdraw a former consent, you are welcome to contact us at dataprotection@astropay.com.

    To process your request, we need you to provide us with the following information:

    1. full name, address, contact telephone number and email address.
    2. Photocopy or scanned image of one or both of the following: 1) Proof of Identity, e.g. passport, photo driver’s license, national identity card, birth certificate. 2) Proof of Address, e.g. utility bill, bank statement, credit card statement (no more than 3 months old); current driver’s license;
    3. If you do not provide us with the above information (i+ii), AstroPay cannot identify you and is thus unable to handle your request.
  7. QUESTIONS OR COMPLAINTS

    If you have any questions relating to this Policy, you wish to exercise your rights as mentioned above, or you disagree with the way AstroPay processes your personal data, you can contact AstroPay at dataprotection@astropay.com. You can also file a complaint to the Isle of Man Information Commissioner, which is an independent public authority that is responsible for monitoring and enforcing the application of the data protection regulations. The Isle of Man Information Commissioner’s contact information is available on its website: https://www.inforights.im/.
  8. CONTACT INFORMATION

    AstroPay Global (IOM) Limited

    • Company Registration No: 135497C
    • Address: Second Floor, 18 – 20 North Quay, Douglas, Isle of Man, IM1 4LE
  9. AMENDMENTS ON THIS POLICY

    AstroPay has the right to modify this Policy regarding new technologies, regulatory requirements, or other purposes. For this reason, please visit this page periodically. Below is highlighted the date when the last version of this Policy has been uploaded.

    Date of the most recent version of this Policy: 12th June 2024.