Privacy policy

UAB OPAY solutions Personal Data Processing Policy

We care about the protection and privacy of your personal data and take your privacy very seriously. Therefore, we aim to keep you fully informed about the processing of your personal data. We will collect, store and process all data in accordance with the General Data Protection Regulation (EU) 2016/679 (the “Regulation”), the Law on Legal Protection of Personal Data, as well as other legislation.
Our payment services may only work if we collect, store, transfer, erase and/or otherwise use (“process” or “processing”) data relating to you. Personal data means any information about you that you provide or that we receive from other sources and that identifies you (“data”), such as your name, bank account number, address or email address, etc.
Please take the time to review this Policy, as it describes what data we collect from you and for what purposes we process data when you use our payment services. It also contains important information about the protection of your data, in particular your legal rights. We may change this Policy from time to time and we encourage you to review this Policy periodically. If you have any questions, please do not hesitate to contact us using one of the methods set out below.

What data we collect and process about you

When the buyer makes a payment using OPAY payment services, we collect and process basic personal data such as your name, personal identification number (if you provide one), bank account number, shopping cart identification data, email address and other data that are necessary for the formation of the payment order and for the provision of information on the execution/non-execution of payment.
When the client (trader as a natural person) enters into and performs contracts with us for the provision of payment services

  • Identification data, such as ID document data, IP address, login data, including when and from where our self-service system on the website was accessed;
  • Financial data, such as origin of funds, registered country for the payment of taxes, bank accounts, payment documents;
  • Economic data, such as economic-commercial activity performed by you (e.g., if you are self-employed, etc.), the goods you sell, etc.

If you are a person related to the client/trader (e.g. you are a director, shareholder, ultimate beneficial owner, member of the board of directors or other governing body of the client/trader or an agent of the client/trader acting under a power of attorney), we will collect and process basic personal data about you, such as your name, personal identification number, place of residence, email address, telephone number and any other data that OPAY is obliged to collect under the applicable anti-money laundering legislation.
Important: If you provide us with the data of other persons related to you, you should obtain the consent of those persons and make them aware of this Policy.
When you, as an agent of the client/merchant, log in to the self-service system on the website, we collect and process your identification data, such as the IP address of your device, information about the browser used on your device, and when and from where you logged in to the self-service system on the website.

For what purposes we collect and use your personal data

We process your data for the following main purposes:
We process payer data so that you can conveniently pay for the goods you wish to purchase and so that we can provide you with payment services.
We process the data of clients (traders as natural persons) and of agents of traders in order to identify and contact you and to enable us to properly fulfil our contractual obligations to clients/traders. For this purpose, we process your (if you are a natural person) or your agent’s name, email address, telephone number and other contact details, and we also use data about your transactions with us and information we obtain from you when you use our services.
In order to send you general direct marketing offers, we collect and use your email address.
In order to communicate with you, for example, to respond to your questions and requests regarding the provision of the services, to receive your feedback, to send you important notifications (in relation to changes to this Policy or other documents) or to send you technical notifications, updates, security alerts, support and administrative messages, we process your contact details and the content of the notifications received and sent to you.
In order to ensure the remote provision of services in the self-service system, we store the IP address and other data that identifies you, the content of communication, the time and other technical data.
In order to adequately protect the legitimate interests of OPAY and any third parties, we will process data for the purposes of protecting ourselves against unlawful activities, in particular fraud, as well as for the purposes of prevention, detection and application of remedies, and for the prevention of cyber-attacks on the data we store and other threats to the integrity of the website, and for the protection of our own interests when resolving disputes, in the case of improper performance of contractual obligations, and for the purposes of enforcement, exercise and defence of our other rights.

What gives us the right to receive and use your personal data

We receive and use your personal data under at least one of the following conditions:

  • you use payment services provided by OPAY;
  • you intend to enter into or have entered into a contract for payment services provided by OPAY;
  • you have given your consent;
  • processing of personal data is possible on the basis of legislation;
  • to pursue our other legitimate interests, such as, for example:
    • to improve the quality of our services so that they meet your expectations;
    • to take various legal actions (for example, to lodge a claim or otherwise to avoid or reduce losses).

Important: If you do not provide us with the personal data that are necessary for the conclusion or performance of the contract or for the provision of payment services, we will not be able to provide you with services.

Use of cookies

For more information about the cookies used on our website, please see Description of Cookies below.

Where we get your personal data

We use the personal data that you provide to us when you apply for and use our services, fill in data forms, make requests or claims, and that we record in your self-service account.
We may also receive your personal data from the client/trader:

  • if you are a person related to the client/trader (agent, employee, counterparty, founder, shareholder, participant, owner, etc.);
  • if you buy goods from the customer/trader and pay for them using payment services.

Who we provide your personal data to

For the provision of specific services, OPAY may engage external service providers to undertake data processing procedures on our behalf and under our instructions. We choose these external service providers carefully and in accordance with the law. We aim to ensure that service providers comply with the Regulation, the laws, the Policy and other mandatory legal requirements. The relationship between us as a data controller and a particular data processor, except where such relationship is established by law or regulation, shall be set out in a written contract or in written terms and conditions.
We provide your personal data in accordance with the legal requirements. Your personal data may be transferred to payment and other service providers involved in the execution of your payment order, to courts or other dispute resolution authorities, to other third parties to the extent that it is related to the sale, merger, purchase or reorganisation of all or part of our business or similar business changes (including, but not limited to, potential or existing purchasers of the business and their advisers).
We may use various service providers as data processors to process the personal data referred to in this Policy, such as: data centre, cloud, website administration and related service providers, advertising and marketing service providers, software development, provision and support companies, information technology infrastructure service providers, network service providers, messaging, direct marketing and related service providers, professional advisors and auditors and other consultancy companies.
Some of these service providers may be located in countries outside the EU/EEA, where the level of data protection may be considered inadequate by the EU/EEA standards. Nevertheless, we have appropriate agreements (or other valid guarantees) in place with such service providers to ensure that all necessary measures will be taken to protect your data in accordance with applicable requirements. If you have any questions about our service providers, please contact us at info@opay.lt. We will always provide additional information on our data security safeguards upon request (a copy of this information will be emailed to you).
Important: Payment and other service providers involved in the execution of your payment order may be based or operating in a country that does not ensure an adequate level of data protection. In such a case, we will take all measures to ensure that your personal data are used securely, but there may be cases where we cannot ensure that the recipient of the data complies with the same requirements as in the EU.

How long we store your personal data

We store your personal data for no longer than is necessary for the purposes for which they were collected or for such period as may be required by law, for example:

  • we store the data of payers and traders for a further 10 years, but no longer than is necessary for accounting purposes, in accordance with the time limits set by law.
  • data obtained by means of cookies are stored

How secure are your personal data

We continuously use various security technologies and procedures to protect your personal data from unauthorised disclosure or use. Therefore, we carefully select our suppliers and require them to use appropriate measures that can adequately protect the confidentiality of your personal data. Access to data is limited to those persons who need it for the purposes described in this Policy.
However, we would like to point out that the transfer of data over the internet or by email is not always completely secure and it is not possible to guarantee that third parties will not access it, so you should be careful when submitting information using a public computer.
However, we would like to point out to you that the transfer of data to us via a website or email cannot be completely secure unless you take precautions yourself. For example, if you transfer the data on a public computer or if your personal computer is infected with a virus or other malicious program.

What are your rights

You have the following rights:

  • the right to have access to your personal data processed by OPAY by receiving copies of such data;
  • the right to have incorrect, inaccurate or incomplete data corrected;
  • the right to restrict the processing of your personal data until the lawfulness of the processing has been verified at your request;
  • you have the right, in certain circumstances, to request the erasure of your personal data or restriction of the processing of your personal data;
  • the right to object to the processing of personal data for direct marketing purposes and where the processing is carried out for our legitimate interests;
  • the right to receive your personal data processed in a structured, commonly used and computer-readable format and the right, under certain conditions, to have those personal data transferred to another controller;
  • where the processing of personal data is based on consent, the right to withdraw the consent you have given without prejudice to the use of your personal data prior to the withdrawal of consent;
  • the right to lodge a complaint with the State Data Protection Inspectorate (for more information, see www.ada.lt).

How you can exercise your rights

You may submit requests (including a request to exercise your rights), complaints or communications (“enquiries”) to OPAY using the contact details below.
We will respond to your enquiry no later than 30 days from the date of receipt thereof. In exceptional cases, where we need more time to respond fully to an enquiry we have received from you, we will respond no later than 60 days from the date of receipt of the enquiry, after giving you a prior notice.

Our contact information

If you have any questions about the processing of your data or questions about your rights, please contact us at info@opay.lt or UAB OPAY Solutions, M. K. Paco str. 4, LT-10309 Vilnius (IX – entrance), Lithuania.

Contact details of the Data Protection Officer

If you have any questions regarding the processing of your personal data, please contact the OPAY Data Protection Officer by phone +370 611 55554, by e-mail duomenuapsauga@opay.lt, or by mail at the address M. K. Paco str. 4, LT-10309 Vilnius (IX – entrance), Lithuania.

Principles of personal data protection that we comply with

We comply with the following principles when collecting and using the personal data you entrust to us, as well as personal data obtained from other sources:

  • To process your personal data in a lawful, fair and transparent manner.
  • To collect your personal data for specified, clearly defined and legitimate purposes and not to further process them in a way that is incompatible with those purposes.
  • To ensure that your personal data are adequate, relevant and only necessary for the purposes for which they are processed.
  • To ensure that the personal data processed are accurate and, where necessary, updated.
  • To ensure that your personal data are kept in a form which permits identification of the individual for no longer than is necessary for the purposes for which your personal data are processed.
  • To ensure that your personal data are processed in such a way that appropriate technical or organisational measures are taken to ensure adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Validity and changes to the Policy

This Policy comes into force on 21 March 2019 and is subject to change in line with changes in legislation and in our operations. We will notify you of changes on our website www.opay.lt and by other means.

Description of OPAY cookies

Cookies are small text files that are placed on your computer or other devices connected to the internet (e.g. tablets, smartphones) if your browser settings accept cookies.
When you open one of our websites, we ask for your consent to place additional cookies on your device. By continuing to use the website after we display the cookie notice, you agree to our use of cookies for the purposes set out below (“Cookies used and their purpose”).

Cookies used and their purpose

Strictly necessary cookies
The cookies we use are necessary for the functionality and operation of our website (e.g. information that identifies a user as logged in to the self-service), and we only use the information stored in cookies for this purpose. Most cookies are deleted from your device at the end of your browser session.

Name

Validity

Description

sessionId

Until the browser is closed

A unique identifier issued when accessing the OPAY system. It is required so that 

when navigating between pages, the system would understand that it is the same person 

browsing and not individual people turning different pages. Or to record that a user 

is logged in to self-service.

accordionOpen

Until the browser is closed

Which payment method group is displayed on the payment page

channelSelected

Until the browser is closed

Which payment method is selected on the payment page

cookieconsent_status

1 year from last visit

The cookie stores information that you have chosen to close the cookie notice.

Third-party cookies

When you use the services of the website, cookies or network data collectors from other providers may be used to collect data about you. This may be done for the purposes of group measurement, activation of contextual advertising or targeted campaigns. These cookies help us to identify how many visitors visit our website and how they behave on it. This helps us to improve the functionality of our website, for example, by ensuring that users can find what they are looking for. If you give us permission to use cookies, we will also evaluate user profiles under a pseudonym. It will not be possible to identify the individual. These technologies are managed by third parties. You can stop the storage of such third-party cookies and tracking performed by them by changing your browser settings.

Name

Validity

Description

jsessionid

Until the browser is closed

A unique identifier issued when accessing the OPAY system. It is required so that 

when navigating between pages, the system would understand that it is the same person 

browsing and not individual people turning different pages.

nreum

Until the browser is closed

New Relic is used. Browsing start time required to measure the user’s browser

 response time.

nragent

Until the browser is closed

New Relic is used. A unique identifier that is required for the transmission of monitoring 

data from the monitoring agent on the website to the monitoring system itself.

fr

3 months from last visit

Used for Facebook marketing purposes.

_fbp

3 months from last visit

Used for Facebook marketing purposes.

tr

Until the browser is closed

Used for Facebook marketing purposes.

_ga

2 years from last visit

Used by Google Analytics to monitor the actions of website users.

_gid

24 hours from last visit

Used by Google Analytics to monitor the actions of website users.

 _gat

1 minute after last visit

Used by Google Analytics to monitor the actions of website users.

AMP_TOKEN

From 30 seconds to 1 year after last visit

Used by Google Analytics to monitor the actions of website users.

_gac_

90 days from last visit

Used by Google Analytics to monitor the actions of website users.

__cfduid

365 days from last visit

CloudFare CDN provider cookie to help identify the same browser.

_hjIncludedInSample

365 days from last visit

Used to monitor the actions of Hotjar website users.