Privacy Notice

Corefy takes care of your personal data and does everything possible to protect it. This Privacy Notice is written to help you understand what your personal data is collected, stored and used, and what happens to it when you use our website at corefy.com (“Website”).

Pay your attention! UK leaves the EU by 31 December 2020. Till that time, the whole data processing process will be handled as it goes. After leaving the EU, the UK will become a third country pending a decision on the adequacy of jurisdiction. We will continue to be GDPR compliant and comply with the data processing and transmission requirements, taking into account the GDPR requirements for third countries that are not recognised as an adequate jurisdiction.

By using our software, services, and website, you acknowledge that you have read and understood this Privacy Policy.

In this Privacy Notice we answer the following questions:

1. 1) Who are we?
2. 2) What is the Privacy Notice covered by?
3. 3) What data do we collect and why?
4. 4) How long do we keep your data?
5. 5) How do we protect your Data?
6. 6) Do we share data with third parties?
7. 7) Do we do data transfer outside the European Economic Zone?
8. 8) Do we use cookies?
9. 9) What rights do I have regarding my data?
10. 10) How do we update Privacy Notice?
11. 11) California privacy rights.
12. 12) Do-not-track requests.
13. 13) California residents data protection rights.

1. Who are we?

We are PayCore.io Limited (the Company), company number 11654625, with a registered address at 37th floor, One Canada Square, Canary Wharf, London, E14 5AA, United Kingdom.
In relation to your personal data, we are the controller and processor at the same time. We are the controller of your personal data of our clients and users, which means that we determine what, for what purpose and how your personal data will be processed.

If you have any questions, you can contact us by sending an email to info@paycore.io. You can also send us a letter at PayCore.io  Limited, 37th floor, One Canada Square, Canary Wharf, London, E14 5AA, United Kingdom.

2. What is the Privacy Notice covered by?

This Privacy Notice applies to our website and our services. Our websites are corefy.com and PayCore.io  .

3. What data do we collect and why?

For the purposes of this Privacy Policy, “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person, as defined under Article 4(1) of the General Data Protection Regulation (GDPR). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

The data we process is divided into two categories: technical information and data that is provided to us by a user, consumer and client.

Technical information. When you visit our website, some data is collected automatically. We need technical data to operate, maintain, and improve our website. This includes data such as an IP address, UTM parameters, geolocation, device type, browser type, cookies, and data about your interaction with the website - session ID.

The session ID includes your interaction with the website, the name of the website from which you went to our website, the functions you use, the pages viewed on our website, the way you use our website, and the actions you take if such actions are present.

Data provided by the client. To perform a contract, we need the following data: full name, date of birth, email, passport details (tax number, address), gender, phone number, position, company name, payment information (bank details, bank card details), and merchant ID credentials.

Data provided by the consumer. In cases where Corefy processes personal data of end users of our clients (consumers), Corefy acts strictly as a Data Processor under the GDPR. The client (our business partner) acts as the Data Controller and determines the purposes and means of processing. Processing is carried out on behalf of and under the lawful instructions of the Data Controller (Art. 28 GDPR). For detailed information about the processing of such personal data, data subjects should contact the relevant controller directly. As a processor, we may process the following data: name, surname, geolocation, address, device hash, email, phone number, tax number, payment information incl. but not limited to bank ID, bank details, payment card details, electronic wallet ID.

Data provided by the user. For full interaction with our website, we may collect your name, phone number, email, and company name.
Once again, briefly about what personal data we collect:

Legal Basis for Data Processing. We process personal data based on one or more of the following legal grounds:

1. a) Consent: Where you have given us your explicit consent to process your personal data for specific purposes.
2. b) Contract: Where the processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract.
3. c) Legal Obligation: Where the processing is necessary for compliance with a legal obligation to which we are subject.
4. d) Legitimate Interests: Where the processing is necessary for our legitimate interests or those of a third party, and such interests are not overridden by your interests or fundamental rights and freedoms.

Pay your attention. We knowingly do not process the personal data of users under the age of 13 without consent from the legal representative(s). If you are such a user, or you are the legal representative of the user, please let us know by email at info@paycore.io.

4. How long do we keep your data?

We store personal data in the following categories:

Client data. We store personal client data for the duration of the service and 36 months after completion.

Consumer data. We store personal consumer data for the duration of the service and 24 months after completion.

User data. We store users' personal data for 36 months.

Notwithstanding the foregoing, Company may retain personal data for longer periods if required by applicable laws, regulations, or legal obligations, such as tax or accounting purposes, or for the establishment, exercise, or defense of legal claims.

However, you can exercise your right to delete your data. In this case, your data will be deleted from our servers within 30 days of your request.

5. How do we protect your Data?

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data, including, as appropriate:

1. a) The pseudonymization and encryption of Personal Data;
2. b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
4. d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

We implement access controls and authentication mechanisms to ensure that access to Personal Data is restricted to authorized personnel only, based on the principles of least privilege and need-to-know.

We maintain and regularly review access logs and audit trails to monitor access to Personal Data.

The Company implement role-based access controls and segregation of duties to prevent unauthorized access, modification, or misuse of Personal Data.

We ensure the physical security of our facilities and data centers where Personal Data is stored or processed, including appropriate access controls, monitoring, and security measures and conduct background checks and require all personnel with access to Personal Data to execute confidentiality agreements and undergo regular security awareness training and education.

We adhere to industry-recognized security standards and best practices, such as ISO 27001, and shall conduct regular audits and assessments of its security measures.

We ensure that any subprocessors engaged in the processing of Personal Data implement appropriate technical and organizational measures to protect the security and confidentiality of Personal Data, as required by this Privacy Policy, GDPR and other applicable laws and regulations.

We regularly review and update our security measures to incorporate new technologies, industry best practices, and emerging threats, and shall continuously strive to improve the security and protection of Personal Data.

6. Do we share data with third parties?

We use your personal data to perform a contract and for communication between us and the client, between us and the consumer, and between us and the user. We may share or disclose personal data to third parties in the following limited circumstances:

1. a) To comply with legal obligations, court orders, or requests from government authorities, law enforcement agencies, or regulatory bodies, to the extent required by applicable laws and regulations.
2. b) To protect the vital interests of the data subject or other individuals, in cases of emergency or threat to life, health, or safety.
3. c) To perform a contract with the data subject or take steps at the data subject's request prior to entering into a contract.
4. d) For the legitimate interests of the Company or a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject.
5. e) Consent. We transfer your personal data based on your explicit consent.

Third parties to whom personal data may be shared or disclosed include:

1. a) Service providers, contractors, or other third parties engaged by the Company to perform services or functions on its behalf.
2. b) Law enforcement agencies, government authorities, or other third parties as required by applicable laws and regulations.
3. c) Companyʼs Affiliates or subsidiaries for internal administrative purposes.
4. d) Potential buyers or investors in the event of a merger, acquisition, or sale of all or a portion of Company's assets.

Company ensure that any third party to whom personal data is shared or disclosed is bound by appropriate confidentiality and data protection obligations, and required to implement adequate technical and organizational measures to protect the personal data.

In the event that any Personal Data is transferred outside the European Economic Area (EEA) or to any third country, the Parties shall ensure that such transfers are carried out in accordance with the requirements of the GDPR and other applicable data protection laws.

Data subjects have the right to object to the sharing or disclosure of their personal data for direct marketing purposes or on grounds relating to their particular situation, unless the Company can demonstrate compelling legitimate grounds for such sharing or disclosure that override the interests, rights, and freedoms of the data subject.

We shall implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, or disclosure during the sharing or transfer process, such as encryption, access controls, and secure communication protocols.

The sharing or disclosure of personal data shall be limited to what is strictly necessary for the specific purpose, and shall be subject to any applicable exceptions or limitations under applicable laws and regulations.

We will ask for your consent unless the transfer of data is part of a contract.

7. Do we do data transfer outside the European Economic Area?

In the course of providing our services and operating our business, we may need to transfer personal data across international borders, including to countries outside the European Economic Area (EEA) and the United Kingdom (UK). Such transfers may be necessary for the performance of contracts with data subjects, for the implementation of pre-contractual measures taken at the data subject's request, or for the purposes of our legitimate interests.

When transferring personal data outside the EEA or UK, we will ensure that appropriate safeguards are in place to protect the data and comply with applicable data protection laws, including GDPR and the Law.

We may transfer personal data to countries or organizations that have been deemed by the relevant authorities to provide an adequate level of data protection. Alternatively, we may rely on appropriate safeguards such as standard contractual clauses approved by the European Commission or binding corporate rules.

In certain circumstances, we may also transfer personal data to third-party service providers or partners located in other countries for the purposes of providing our services or conducting our business operations. In such cases, we will ensure that appropriate safeguards are in place to protect the data and that the transfer is carried out in accordance with applicable laws and regulations.

Data subjects have the right to be informed about any cross-border transfers of their personal data and the safeguards in place to protect their data. Data subjects may exercise their rights or raise objections to such transfers by contacting us using the information provided this Privacy Policy.

We will comply with all applicable laws and regulations regarding cross-border data transfers, including the GDPR, the Law and the data protection laws of England and Wales.

We may update or modify our practices regarding cross-border data transfers from time to time.

Any changes will be reflected in an updated version of this Privacy Policy, and data subjects will be notified of such changes in accordance with applicable laws and regulations.

All data is now stored on servers in Germany and the UK. When transferring data, we use the necessary protective measures such as encryption and security protocols.

8. Do we use cookies?

We use the cookies necessary for the functioning of the website. Using cookies, we receive the technical information specified in clause 3 and our Cookie Policy.
If you want to disable cookies, then you can find instructions for managing your browser settings at these links:

• Internet Explorer
• Firefox
• Safari
• Microsoft Edge
• Google Chrome
• Opera
• Vivaldi

9. What rights do I have regarding my data?

You, as Data Subjects, have the following rights:

The right to obtain confirmation from the Company as to whether their personal data is being processed, and if so, to access their personal data and receive a copy of it. The Company shall provide the personal data in a commonly used and machine-readable format.

The right to request the rectification of inaccurate or incomplete personal data concerning them. The Company shall rectify such personal data without undue delay.

The right to request the erasure of their personal data without undue delay in the following circumstances:

1. a) The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
2. b) The Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
3. c) The Data Subject objects to the processing, and there are no overriding legitimate grounds for the processing;
4. d) The personal data has been unlawfully processed;

We erase the personal data without undue delay, unless the processing is necessary for the establishment, exercise, or defense of legal claims or for compliance with a legal obligation under applicable law.

Data Subjects have the right to request the restriction of processing of their personal data in the following circumstances:

1. a) The accuracy of the personal data is contested by the Data Subject, for a period enabling the Company to verify the accuracy of the personal data;
2. b) The processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of its use instead;
3. c) The Company no longer needs the personal data for the purposes of the processing, but the Data Subject requires the data for the establishment, exercise, or defense of legal claims;
4. d) The Data Subject has objected to processing pending the verification whether the legitimate grounds of the Company override those of the Data Subject.

Data Subjects have the right to receive their personal data, which they have provided to the Company in a structured, commonly used, and machine-readable format.

Data Subjects have the right to object, on grounds relating to their particular situation, at any time to the processing of their personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

Data Subjects have the right to object to the processing of their personal data for purposes other than direct marketing, where the processing is based on the legitimate interests of the Company, unless the Company demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

To exercise your rights, write us an email at info@paycore.io. If your request was not satisfied, you can file a complaint to the regulatory body, the ICO via live chat service ico.org.uk/livechat or ico.org.uk/global/contact-us  .

The Company shall respond to such requests without undue delay and in any event within one month of receipt of the request, unless the request is particularly complex or numerous, in which case the Company may extend the time limit by a further two months, informing the Data Subject of the extension and the reasons for the delay.

10. How do we update Privacy Notice?

This privacy policy and the relationships falling under its effect are regulated by the GDPR.

The Company reserves the right to modify, update, or amend this Privacy Policy at any time, in its sole discretion, to reflect changes in legal requirements, business practices, or technological advancements.

Any changes to this Privacy Policy will be communicated to Data Subjects through appropriate means, such as by posting a notice on the website, sending an email notification, or other reasonable methods.

The Company shall provide reasonable advance notice of any material changes to this Privacy Policy, allowing Data Subjects sufficient time to review the updated terms.

The effective date of any changes to this Privacy Policy will be clearly stated in the updated version, and Data Subjects' continued use of the services or website after the effective date shall constitute acceptance of the updated Privacy Policy.

Data Subjects may request access to previous versions of this Privacy Policy for reference or comparison purposes by contacting the Company using the contact information provided this Privacy Policy.

The Company shall periodically review and update this Privacy Policy as necessary to ensure compliance with applicable laws and regulations.

You as a Data Subject are encouraged to review this Privacy Policy regularly for any updates or changes. Any questions or concerns regarding changes to this Privacy Policy should be directed to the Company using the contact information provided in this Privacy Policy.

11. California privacy rights

We make these disclosures to those visiting our websites who reside in California which supersede and replace any conflicting disclosures found elsewhere on our websites as well as reflect your privacy rights granted by the California Consumer Privacy Act (CCPA).

Opt-out of disclosure for direct marketing purposes. The California laws allow its residents to learn the identities of entities that received their personal data for marketing purposes and the categories of information disclosed. You may request such information by contacting us by email at info@paycore.io.

Please be aware that this opt-out does not prohibit our disclosure of personal data for any purpose other than direct marketing. The data we process and share may include your name, address, email address, and telephone number.

Automatic gathering of information. We collect data that you provide to us online, and through websites of unaffiliated third parties.

Automatic gathering of information by third parties. When you visit our websites, third parties can collect personal data about your online activities over time and across different websites pertaining to your visit to or use of our and other websites.

12. Do-not-track requests.

California residents visiting our websites may request that we do not automatically gather and track information pertaining to their online browsing movements across the Internet. Such requests are typically made through web browser settings that control signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personal data about an individual consumer's online activities over time and across third-party websites or online services. We currently do not have the ability to honour these requests. We may modify this Notice as our abilities change.

13. California residents’ data protection rights.

The CCPA has extended California residents’ data protection rights. However, we have already guaranteed all these rights and described them precisely in this Notice as well as a means of rights exercising. Please refer below to investigate.

Right to be informed. Please find a list of personal data we collect about you and your activity, sources and business purposes of personal data collection, and third parties we may share your personal data within Section 3 - 6 of the Notice.

Your Right of access, Data portability, and Right to delete are prescribed by Section 7 of the Notice.

You can exercise these rights any time by contacting us via email at info@paycore.io.

Notice, the CCPA envisages some specific requirements related to the exercising of these data protection rights. Considering them we may:

• respond to your request within forty-five (45) days of receiving the request;
• provide you with personal data we collected about you no more than twice in a 12-months period (categories and specific pieces of collected personal data, business purpose and sources of collection, categories of third parties personal data is shared with);
• NOT provide you with personal data if we cannot verify your identity. You shall provide us with sufficient information allowing us to verify you as the person about whom we collected personal data. However, we do consider requests made through your Account sufficiently verified.
• NOT transmit your personal data to another entity.

Also, please be aware that we are allowed to maintain personal data after deletion request is received as permitted by the CCPA (for instance, for the purposes of detection of security incidents, repair errors, comply with legal obligations, transaction completion).

We want to draw your special attention that Corefy does not sell, rent, or trade your personal data to anyone.

Non-discrimination right. We definitely will not discriminate (including, by denying Services, charging different prices for Services, providing different quality of Services) against you for exercising any of your CCPA data protection rights.