LAST UPDATED February 16, 2021
This App is offered through a partnership between three companies – Pocosys, Pocopay, and Lender (all defined below). This Privacy Statement describes how these three companies and our partners collect and use data when you use any of our products and services.
Below, we’ll walk you through who we are, what data we collect, why, and what your rights are.
In addition to terms defined elsewhere in this Privacy Statement, the following capitalized terms shall have the following meanings:
the “Dify” branded mobile application provided by Pocosys
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. “Data controller” “data processor” “process” “personal data” and similar terms have the meanings given in Art. 4 of the GDPR.
means information collected through the App, which may contain personal data, as defined in the GDPR.
means AS Pocopay, a company established under the laws of Estonia, registry code 12732518, address Pärnu mnt 18, Tallinn 10141, Estonia. Pocopay is a licensed payment institution licensed by the Financial Services Authority of Estonia. Pocopay provides payment account services and issues your card.
means OÜ Pocosys, a company established under the laws of Estonia, registry code 12963672, address Pärnu mnt 18, Tallinn 10141, Estonia. Pocosys is a software company and it owns the App.
means Dify Financial Technologies Iberia S.L.U., a company established under the laws of Spain, registered in Barcelona commercial register, registry code volume 47373, page 204, sheet 550013. address Calle Enrique Granados 111, 6o2a, 08008. Barcelona, Spain. Lender provides lending services, including the “buy now, pay later” product available through the App.
The Opera Group
means other companies in Europe that collaborate with and act as data processors for Pocopay, Pocosys, and Lender.
means the human being reading this statement and using our products and services, permanently residing in Spain, and at least 18 years old.
means Pocopay, Pocosys, and Lender together.
Next we will describe what categories of personal data each company collects, and why.
Who collects what, and why
We may process Your personal data for the purposes listed below depending on which services You use. You can apply for payment services offered by Pocopay via the App and You may be able to apply for credit services offered by the Lender. If You decide to apply for credit services then Your personal data will be processed by the Lender and other third parties who help with assessing Your creditworthiness. If You do not use certain services offered in the App then such service providers may not process Your personal data.
Pocopay, Pocosys, and Lender, each act as a “data controller” of different kinds of data (including personal data) that is collected through the App. Specifically, Pocopay is an independent controller of data, while Pocosys and Lender act as “joint controllers” of other data.
Here we will begin with a brief summary of which kinds of data each of our companies processes. Below, we’ll go into more detail about each category of data, the purpose of processing it, and the legal basis for doing so.
Pocopay, Pocosys and the Lender may exchange Your data between each other in order to provide You better services.
|Data Category||Purpose of Processing|
|Personal Details||Compliance Purposes, Contractual Purposes, Fraud Monitoring Purposes, Analytical Purposes|
|Due Diligence Information||Compliance Purposes|
|Identification Document Data||Compliance Purposes|
|Contact Information||Contractual Purposes|
|Transaction Data||Compliance Purposes, Contractual Purposes, Fraud Monitoring Purposes and Analytical Purposes|
|Payments Information||Compliance Purposes, Contractual Purposes, Fraud Monitoring Purposes,|
|Data Category||Purpose of Processing|
|Contact Information||Contractual Purposes, Marketing Purposes|
|Device Data||Marketing Purposes, Analytical Purposes|
|Customer Support Information||Contractual Purposes|
|Payments Information||Contractual Purposes|
|Transaction Information||Contractual Purposes|
|App Information||Contractual Purposes, Analytical Purposes|
|Data Category||Purpose of Processing|
|Due Diligence Information||Compliance Purposes|
|Personal Details||Compliance Purposes, Credit Scoring Purposes, Marketing Purposes, Contractual Purposes|
|Identification Document Information||Compliance Purposes|
|Household Information||Credit Scoring Purposes, Analytical Purposes|
|Financial Status Information||Credit Scoring Purposes, Analytical Purposes|
|Payments Information||Contractual Purposes, Compliance Purposes|
|Transaction Information||Contractual Purposes, Compliance Purposes, Analytical Purposes|
Data Category: What kinds of personal data do we use?
In this section we will describe the different categories of data we may collect when you use the App or our services.
Information that you provide to us
Some categories of data we collect when you provide it to us directly (for example when you register as a new user, or request specific services through the App). This data includes:
- Personal Details – your first and last name, tax ID number (NIE), document details (expiry, issue dates), date of birth, citizenship / nationality, gender, photos or images of yourself that You have given us.
- Identification Document Data - Data retrieved from Your identification document which You have forwarded to us, including the document number, issue date, expiry date and issuing entity, photo and/or video footage of Your identification document.
- Household Information – such as the number of people in your household, marital status, time living in current address, number of dependent children, education level, occupation, language, country of residence.
- Financial Status Information – your main source of income, monthly source of income, monthly net income, monthly spending, monthly debt repayment, desired credit limit.
- Contact Information – your phone number, e-mail, street address, postal code, country, city.
- Customer Support Information – if you contact our customer support team with a question or concern, communication between You and customer support may be retained (e-mails and chat logs).
Information that we collect about you
We will collect the following categories of information about you indirectly, for example from third parties or via the App:
- Device Data – Information regarding the device on which you are using the App, including the device’s model, device ID, IMEI.
- App Information – such as your IP address, installation key ID, authentication token, system fingerprint.
- Transaction Information – information about transactions you complete with the App or your card, including the name and account number of the payer and the payee, the date, time, currency, amount and explanation of the transaction.
- Payments Information – e.g. card spending limits, card settings, some card details.
- Due Diligence Information - Data we collect for the purpose of conducting customer due diligence under applicable anti-money laundering laws from You and appropriate databases, including information about whether You have been affiliated with money laundering or terrorist financing, whether You have been prosecuted for a crime, whether You have been subject to any international financial sanctions, whether You have held a public office or whether You are a close relative or associate of someone who has held public office.
Purpose of Processing: Why do we need your data?
Each company in our group may use Your data for different purposes, as explained below.
Compliance Purposes – to carry out obligations imposed by applicable laws, including the obligation to:
- avoid money laundering, terrorist financing and fraud;
- ensure the fulfilment of international financial sanctions;
- ensure the security of our payment services;
- provide tax authorities data as required under tax information exchange laws;
comply with the lawful inquiries and orders of:
- public authorities with whom we are obliged to cooperate under applicable laws, such as courts, bailiffs, trustees in bankruptcy, the police, financial supervisory authorities, financial intelligence units, tax authorities, etc.;
- (other financial institutions with whom we are obliged to cooperate under applicable laws, including, upon Your prior authorization, payment information service providers and payment initiation service providers.
Contractual Purposes – to enter into or perform our contracts with You, including setting up your account and providing the services you have requested. These purposes also include providing You with customer support.
Fraud Monitoring Purposes – to monitor and reduce payment fraud.
Analytical Purposes – to gain a better understanding of the preferences of our customers and how they interact with the App, and making improvements to the App and our services.
Marketing Purposes – to send You marketing information about our products and services.
Credit Scoring Purposes – Making a decision about whether to offer You a loan, and if so, for how much.
We process Your personal data under the following lawful grounds under the GDPR:
- Compliance Purposes – GDPR art 6 ( 1 ) ( c ), as relevant processing is necessary for compliance with obligations stipulated in applicable laws to which we are subject.
- Contractual Purposes – GDPR art 6 ( 1 ) ( b ), as relevant processing is necessary for the performance or entry into a contract with You.
- Fraud Monitoring Purposes – GDPR art 6 ( 1 ) ( f ), as we have legitimate interests to monitor and reduce payment fraud.
- Analytical Purposes – GDPR art 6 ( 1 ) ( f ), as we have legitimate interests to gain a better understanding of the preferences of our customers and how customers interact with the App.
- Marketing Purposes – GDPR art 6 ( 1 ) ( f ), as we have legitimate business interests to offer our customers additional services, they may be interested in.
- Credit Scoring Purposes – GDPR art 6 ( 1 ) ( f ), as we have legitimate business interests in deciding whether and how to lend funds to our customers.
We retain Your personal information only as long as necessary according to the purpose of processing. Data processed for Compliance purposes often must be retained for a period set by applicable law. Data processed for Contractual Purposes will be retained for the time the contract is in force, and for a reasonable time thereafter. Data processed for Credit Scoring Purposes will be stored for a period between three months (specifically, data processed for performing credit checks), to a maximum of two years (in the cases of data processed for credit and fraud model training).
Sharing data with third parties
In some circumstances Your data may be shared with or received by third parties other than Pocopay, Pocosys, or Lender. These third parties may include:
- Other companies in Opera Group in Europe, including Opera Norway AS and its subsidiaries. Opera group companies provide various forms of logistical, technical support, tools for credit scoring and KYC purposes, value-added services and may act as data processors for the Parties. Opera Group companies may receive data such as user-ID, device IDs or crash reports to assist in distribution and software development, value-added services, as well as data pertinent to developing our credit engine and KYC tools.
- Third-party service providers to whom we have delegated activities in order to comply with our legal requirements and provide better services to you (e.g. companies engaged in identity verification (including Veriff OÜ), customer relationship management, cloud computing platforms).
- Entities which maintain databases (including Experian Bureau de Crédito, S.A or any other similar entities) to whom we send information for the purpose of applying the principle of responsible lending, as well as to enable us to evaluate your creditworthiness and perform credit checks.
- Technology providers (like Appsflyer, Mixpanel, Apple, Facebook SDK and Google AdMob) may collect cookies to collect data.
- Debt collection service providers, if you are in breach of contract.
- Law enforcement agencies, to whom information regarding false identities and other fraudulent identity documents may be provided, when and to the extent required by applicable law.
- Couriers who help deliver You letters.
Pocopay may share elements of Your personal data with the following third parties:
- Public authorities and other financial institutions whom Pocopay is obliged to disclose Your personal data under law.
- Server hosts who host Pocopay’s servers.
- Payment processors and payment network operators who process Your transactions.
- Card manufacturers who manufacture Your Card.
- Google Pay and Apple Pay if You have added Your Card to such services.
As a general rule, Your data is not sent outside the European Economic Area for processing. In the event that Your Data is transferred outside of the EEA to a Third Party, We will transfer such data in accordance with the GDPR.
As indicated above, some data is used in automated decision-making, including profiling. In particular, some data is used to make decisions about your creditworthiness. To make this decision our credit engine reviews your Financial Status Information, Transactions Information, and Payments Information, as well as publicly available credit reporting resources.
You have all the rights arising from the General Data Protection Regulation and other applicable law, including the rights;
- to withdraw consent to the processing of Your Data (in instances where we are relying on consent as the basis to process Your Data);
- to receive Your Data processed by us in electronic format;
- to request for information concerning Your data;
- to request the rectification of Your data if these have changed or are otherwise inaccurate for any other reason;
- to have Your personal data be erased or to request that its processing be restricted.
In case You have complaints regarding the processing of your personal data, You may file them with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or the Data Protection Authority of the state in which You have permanent residence.
If You have any questions about data processing or wish to exercise Your rights, which includes withdrawing Your consent, You may send an email to our data protection officer at email@example.com, or contact us via the App.