Privacy and Data Protection Policy

The present Personal Information Privacy Policy (hereinafter referred to as “the Policy”) applies to all information the Qostiq payment service provider (hereinafter referred to as “the Provider”) may obtain from the user of the payment system (hereinafter referred to as “the Client”) in order to use by the latter the Qostiq® service and/or any of the web sites, applications, products, services, software of the Provider (hereinafter referred to as “the Provider’s Services”).

IT IS OBLIGATORY FOR ALL THE DATA SUBJECTS TO READ THIS POLICY IN ORDER TO ACKNOWLEDGE HOW THE PROVIDER COLLECTS, PROCESSES THE PERSONAL DATA, AND WHAT SECURITY MEASURES ARE APPLIED.

The use of the Provider’s Services means that the client has read the present Policy and unreservedly agrees with the terms of processing of his or her personal information specified hereof as well as any other information for analyzing the behavior of Clients/Visitors on the website, for which the Provider may involve third parties; if disagreed, the Client must refrain from using the Provider’s Services.

DEFINITIONS

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special categories of the personal data (sensitive data) means any personal data revealing the racial or ethnic origin, political views, religious or philosophical beliefs, membership in trade unions, as well as the processing of genetic data, biometric data for the purpose of unambiguous identification of a natural person, health data.

Data controller (controller) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Subject means any person being the subject of personal data, whose personal data is processed by the Provider, including Users (Developers, Clients and Visitors), independent contractors/employees and other interested parties.

Client means a Data Subject who has completed the registration procedure on the Platform.

Visitor means a Data Subject who has visited the website of the Platform for any specific purpose.

Services means any service rendered by the Provider using the Platform. The services are provided pursuant to the End-User License Agreement.

Platform means https://qostiq.com/ website with the accompanying software by the Company on the servers allowing the provision of the Services.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Automated decision-making means the ability to make decisions using technological aids without human intervention leading to legal consequences regarding the Data Subject or significantly affecting it.

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Supervisory Authority (DPA) means independent public authority approved by an EU member state pursuant to the General Data Protection Regulation (GDPR/RODO). Within the scope of the current Policy, DPA means the Data Protection Inspectorate of Poland.

Mouseflow is a service engaged by the Provider to provide the Service, which uses the Software to process, analyze and store the Customer/Visitor Data. Mouseflow is an analytics tool used by the Provider to optimize and improve the operation of the Services.

  1. General provisions
    1. Upon collection and utilisation of the personal data, the Provider shall be a subject to a number of legal acts regulating the procedure for implementation of such activities, as well as the guarantees to be established in order to protect the data
    2. The present Policy shall be applied to all employees of the Provider, Customers, interested parties and any subjects directly or indirectly involved in the processing of the personal data within the scope of the Provider's activities, including the Data Subjects visiting the website https://qostiq.com/.
    3. The Data Subjects shall be entitled to contact the Provider or the DPA regarding their personal data breach in case they discover it prior to the Provider.
  2. Clients’ personal information
    1. For the purposes of the present Policy, the term “the Client’s personal information” shall be defined as the information that:
      1. is presented by the Client himself upon signing up at any of the Provider’s Services;
      2. is presented by the Client himself upon identification/complete identification of the Client;
      3. is presented by the Client himself upon use of any Provider’s Services;
      4. automatically delivered to the Provider and Mouseflow upon use of any Provider’s Services, including IP address, cookies status, the Client's browser used for accesses to the Provider’s Services, access time, requested page.
    2. The present Policy shall apply to the data presented by the Client to the Provider in use of the Services only. The Provider shall not be held liable for any personal information placed by the Client on the websites of third parties inter alia the cases when the link to the website is placed on the Provider’s website.
    3. The Provider shall not verify the accuracy of the personal information disclosed by the Client, however assumes that the Client has provided complete and reliable information which is subject to update if rectified.
  3. The terms of processing of the Client’s personal information:
    1. The Company shall adhere to the principles set forth by the GDPR upon collection and processing of the personal data. The Company’s policies and procedures shall be designed to ensure compliance with the following principles:
      1. Lawfulness, fairness and transparency

        Lawfulness means the controller shall determine the legitimacy of the justifications prior to the processing of the personal data (for example, consent).

        Fairness means the controller shall make certain information available to the data subjects to process the data fairly to the extent reasonably practicable. This applies to whether the personal data was obtained directly from the data subjects or from other sources.

        Transparency means any information related to the processing of the personal data shall be accessible and understandable, as well as presented in a simple and understandable terms.

      2. Purpose limitation

        The personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.

      3. Data minimisation

        The personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

      4. Accuracy

        The personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

      5. Storage limitation

        The personal data shall be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed. The personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.

      6. Integrity and Confidentiality

        The personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing as well as against accidental loss, destruction or damage, using appropriate technical or organisational measures.

    2. The Provider shall collect and store only the Client’s personal information that is used within the scope of the End-User License Agreement between the Client and the Provider on the delivery of the Provider’s Services, with exception where the legislation of Poland specifies otherwise.
    3. The confidentiality of the Client’s personal information shall be ensured.
    4. The Provider shall utilise the personal information for the following purposes:
      1. Within the scope of the End-User License Agreement between the Client and the Provider on the delivery of the Provider’s Services;
      2. Communication with the Client;
      3. Improving the quality of the Provider’s Services, offering the Client personalised Provider’s Services;
      4. Performing the marketing actions and events for the Clients.
    5. The Provider shall transfer the Client’s personal information in the following cases:
      1. The Client has consent to the transfer of the data to third parties;
      2. The transfer is required for the implementation of the Provider’s obligations under the End-User License Agreement between the Client and the Provider on the delivery of the Provider’s Services;
      3. The transfer is stipulated by the legislation of Poland or the country of the service provision;
      4. The Provider has reasonable grounds to believe that the Client’s actions breach the terms of the End-User License Agreement between the Client and the Provider on the delivery of the Provider’s Services and/or the legislation of Poland.
    6. Upon processing of the Client’s personal data, the Provider shall be a subject to the Law of Poland On the Personal Data (https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001000/U/D20181000Lj.pdf).
    7. Upon exercising of its activities, the Provider shall collect the following personal data of the Clients for the following purposes:
      1. Full name; payment card number; phone number; digital wallet number in payment systems; cryptocurrency wallet number; e-mail; passport details; ID card details; date of birth; photo of the wallet holder's identity, and documents provided to confirm the wallet holder's identity, photo of the payment card presenting the first 6 and last 4 digits of the card visible: IP address; and browser type are used by the Provider to render the services delivered by the Provider to the Clients regarding the money transferring without opening an account and providing electronic means of payment. The payment system or bank requires the above-mentioned personal data to ensure the payment is genuine and lawful.
      2. nickname; photo; gender; email: phone number: and client's data for instant messenger are used to manage a dialogue between the Provider and the Client regarding the services.
      3. the Provider’s website domain; email: date of birth; IP address; and browser type are used to create the Client’s account and to log in to the Platform.
      4. nickname; email; phone number: client's data for instant messenger: IP address; and browser type are used for communication with the Client and provision of the customer support regarding the login, account management, account security, system software errors, Services, blocks, etc.
    8. The Provider shall not collect and/or process the sensitive data.
    9. The Provider shall not apply the profiling or automated decision-making during the processing of the personal data.
    10. The Provider shall not collect any personal data from the Data Subjects other than specified in the present Policy. The Provider as well shall not collect any personal data except for the purposes of processing set forth hereof.
    11. By collecting and processing the personal data of Clients and Visitors, the Company acts as a controller wherefore the relevant range of rights and obligations arise.
  4. Rectification and erasure of the Client’s personal information
    1. The rectification and erasure of the Client’s personal information shall be performed pursuant to the procedures stipulated by the End-User License Agreement of the relevant Provider’s Services. Within the scope of the Provider’s Services, the Client may obtain the functionality to rectify (update, add new information to the data already available) or completely or partly erase the information provided by the Client (according to the articles RODO - 16, 17,18,20,21), also the Client also has the right to file a complaint with the supervisory authority (in accordance with Article RODO 77) https://uodo.gov.pl/pl/404/224 . The use of the relevant functionality shall be a subject to the agreements applicable to this Provider’s Service.
    2. The Provider shall be imposed with the obligation to process/store the Client’s personal information obtained upon application of the Provider’s Services pursuant to the legal requirements. Such processing/storage shall be performed by the Provider in certain cases, on relevant grounds and within the specified time limits stipulated by the legislation.
  5. Data processing and use by Mouseflow service
    1. This website uses Mouseflow:
      1. a website analytics tool that provides session replay, heatmaps, funnels, form analytics, feedback surveys, and similar features/functionality.
      2. Mouseflow may record your clicks, mouse movements, scrolling, form fills (keystrokes) in non-excluded fields, pages visited and content, time on site, browser, operating system, device type (desktop/tablet/phone), screen resolution, visitor type (first time/returning), referrer, anonymized IP address, location (city/country), language, and similar meta data.
      3. Mouseflow does not collect any information on pages where it is not installed, nor does it track or collect information outside your web browser.

        If you'd like to opt-out, you can do so at https://mouseflow.com/opt-out.

        If you'd like to obtain a copy of your data, make a correction, or have it erased, please contact us first or, as a secondary option, contact Mouseflow at privacy@mouseflow.com.

        For more information, see Mouseflow’s Privacy Policy at https://mouseflow.com/legal/company/privacy-policy/.

        For more information on Mouseflow and GDPR, visit https://mouseflow.com/legal/gdpr/.

        For more information on Mouseflow and CCPA/VCDPA visit https://mouseflow.com/legal/ccpa.

  6. Storage period
    1. The Provider shall process and store personal data for the period required for the purposes of processing to be implemented as stipulated herein.
    2. Considering the purposes of processing, the storage period for the personal data (hereinafter refer to as “the Storage Period”) shall be as follows:

      address; payment card number; phone number; digital wallet number in payment systems; cryptocurrency wallet number; email; passport details; taxpayer identification number; nickname; photo; date of birth; Seller’s website domain; full name; IP address; and browser type - up to 60 months from the date of the Client’s last activity on the Platform pursuant to the regulations set forth by the GDPR.

    3. After the expiration of the storage period, the Provider shall be obliged to erase the personal data or shall refer to the Data Subject in order to sign a new consent to the data processing, whenever the need arises or for another purpose of processing.
    4. The Provider shall be entitled to discontinue storing subsequently and erase previously collected personal data of the Data Subjects at any time whereas such personal data are no longer required.
    5. The Provider shall continue to store personal data assuming the further processing is obligatory by the legislation to implement public interest purposes, scientific or historical research purposes, or statistical purposes.
  7. Rights of the Data Subject
    1. The present Policy enables all Data Subjects to exercise any of the following rights:

      he right of access. The Data Subjects are entitled to know whether their personal data is being processed and, if so, to also have the access to such data.

      the right to rectification. The Data Subject shall be entitled to obtain from the Provider the rectification of inaccurate personal data concerning him or her providing a supplementary statement.

      the right to erasure or the right to be forgotten. The Data Subject shall be entitled to obtain from the Provider the erasure of personal data concerning him or her without undue delay and the Provider shall be held liable to erase such personal data without undue delay.

      the right to restriction of processing. The Data Subject shall be entitled to obtain the restriction for processing of personal data concerning him or her with a few exceptions within the scope of the GDPR.

      the right to be informed. The Provider shall be obliged to inform the Data Subject regarding what data is collected, how it is used, how long it will be stored and whether it will be transferred to third parties. Such information shall be concise and understandable.

      the right to data portability. The Data Subjects shall be allowed to receive and reuse their personal data for their own purposes in different services. This right applies only to personal data provided by the Data Subject to the Provider on the basis of consent.

      the right to object. The Data Subjects shall be entitled to object to processing of personal data concerning him or her by the Provider. The Provider must terminate the processing of personal data, if the Provider is unable to demonstrate a convincing legal basis for the processing that prevails over the interests, rights and freedoms of the individual or if the processing is intended to create or implement the protection of legitimate claims.

      the right not to be subject to a decision based solely on automated processing. The Data Subjects shall be entitled to object to any automated profiling occurring without consent. At the same time, the Data Subjects shall be entitled to obtain human intervention into the processing.

    2. The Data Subject shall be entitled to exercise any of the above-mentioned rights by contacting the technical support at the following email: support@qostiq.com.
    3. The Data Subjects shall be entitled to exercise any of the above-described rights by sending a request to the following email: support@qostiq.com. The request by the Data Subject shall consist of: his or her name, personal contact details, wallet number or cryptocurrency wallet number registered in the system, email used for signing in by the user in the payment system, what right shall be exercised, the data of the subject that are processed by the Company, details and the request justification
  8. Security
    1. The Provider shall be held liable for ensuring that any personal data, held by the Provider and being a subject to its responsibility, is kept secure and shall not be disclosed under no circumstances, unless that the person has been specifically authorised by the Provider to obtain such information and has signed a non-disclosure agreement.
    2. Any personal data shall be available only to those requiring to use it. The personal data shall be processed with the highest degree of security and stored in the encrypted form.
  9. Notification of a personal data breach
    1. The Provider shall take all reasonable actions to minimise the risk of the personal data breach during its processing.
    2. In the case of a personal data breach, the Provider shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the DPA unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the Data Subjects.
    3. The risk assessment to be performed by the Provider shall determine the level of risk to the rights and freedoms of the Data Subjects once the personal data breach has occurred and whether it is the sufficient ground to notify the involved Data Subjects of such a breach.
    4. Moreover, the Provider shall notify the involved Data Subjects without undue delay of such a breach given the personal data breach may lead to a high risk to the rights and freedoms of Data Subjects.
    5. The notification of the involved Data Subjects shall not be required as stipulated by the GDPR given the measures have subsequently been taken to avoid a high risk to the rights of the Data Subjects.
    6. The Provider shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the DPA to verify compliance with the GDPR.
  10. Data transfer
    1. The Provider shall not sell any personal data to either legal entities nor natural persons.
    2. The Provider shall be entitled to transfer the personal data to its employees specified in the present Policy. It should be understood that the Provider transfers the personal data pursuant to the GDPR.
    3. The Provider shall be entitled to transfer the personal data to the payment system or the bank of the Client aiming to make payments.
    4. The personal data shall be transferred for the purposes and under the conditions stipulated by the present Policy
    5. Pursuant to the GDPR, the Provider shall be entitled to transfer the personal data under one of the following conditions only:
      1. the data subject has given the express consent to the transfer of data subsequent to the information received on the possible risks of such transfer;
      2. the transfer is required for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures taken at the request of the data subject;
      3. the transfer is required for the entering into or performance of a contract concluded between the controller and any other natural or legal person for the benefit of the data subject;
      4. the transfer is required on the substantial grounds of the public interest;
      5. the transfer is required to generate, implement or protect the legal claims;
      6. the transfer is required to protect the vital interests of the data subject or any other persons given the data subject has the physical or legal incapacity to give a consent.
  11. Modification to the Privacy Policy
    1. The Provider shall be entitled to offer the Client to modify and/or supplement the present Policy by publishing the new version of the Policy on the website at (https://qostiq.com). Accepting by the User of such an offer means his or her actions evidenced by the course of conduct in application of any of the Provider's Services under the new conditions.