1. General information
We hereby inform you about the processing of your personal data and the claims and rights to which you are entitled under the data protection regulations. In the context of using the secupay app as a wallet for credit cards and debit cards, we store data with the aim of enabling you to use the app.
1.1 Who is responsible for storing the data collected in the app? (responsible parties)
The data processing in the app is carried out by:
secupay AG Goethestrasse 6
The secupay AG is the publisher of the secupay app and, as a payment institution licensed by BaFin, is responsible for the processes required for card creation and for loading the cards that can be managed in the secupay app. secupay is not an issuing office commissioned directly by Mastercard or VISA, but merely forwards the customers' data to the offices authorized to do so and acts as an intermediary between the user and the licensed issuing office (card-issuing e-money institution).
76, „James Bourchier“ Blvd,
1407 - Sofia / Bulgaria
Paynetics is the card-issuing e-money institution and offers registered users debit cards and credit cards from Mastercard and VISA for use for payment at electronically connected acceptance points. Currently, only cards issued by Paynetics can be managed in the secupay app.
76, „James Bourchier“ Blvd,
1407 - Sofia / Bulgaria
Phyre Phyre is the technical provider of the secupay App and is responsible for the connectivity of the App to Paynetics in order to display card data, sales and balances in the App.
1.2 Who is the responsible data protection officer?
You can reach our data protection officer at:
Mr Axel Hirsch
1.3 How do we collect your data?
Your data is collected by you providing it to us. This may be data that you enter into the app during the registration process or data that you hand over to the recording employee during the registration process. In addition, other data is automatically collected by our IT systems when you visit the app. This is mainly technical data (e.g. app version, operating system or timestamp of the app call). This data is collected automatically as soon as you start the app.
1.4 What do we use your data for?
We process your personal data in accordance with the provisions of the EU General Data Protection Regulation (DSGVO) and the German Federal Data Protection Act (BDSG) for the following purposes:
- For the fulfillment of contractual obligations (Article 6 (1) lit. b DSGVO) The processing of personal data is carried out in the context of the implementation of our contract with you as our customer or for the implementation of pre-contractual measures that take place at your request. In particular, this applies to the use of the secupay app and its functions, such as payment by smartphone in brick-and-mortar stores and online stores or the query and display of card payments made and the card balance. This also includes communication with you. We use your personal information to communicate with you, for example, e-mail regarding your concerns.
- Relevant personal data may include in particular:
- Personal data (name, date of birth, place of birth, nationality and similar data)
- Contact details (address, email address, telephone number and similar data)
- Legitimation data (identification and registration data)
- Current accounts and credit card data
- Within the framework of the balancing of interests (Article 6 (1) f DSGVO) To the extent necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of us or third parties, for example:
- Assertion of legal claims and defense in legal disputes.
- Ensuring IT security and IT operations
- prevention of criminal offences
- Error-free provision of the website
- Based on your consent (Article 6 para. 1 lit. a DSGVO) If you have given us consent to process personal data for specific purposes (e.g. sharing of data within the association/group), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time. This also applies to the revocation of declarations of consent given to us before the EU General Data Protection Regulation came into force, i.e. before May 25, 2018. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected.
- Due to legal requirements (Article 6(1)(c) DSGVO) or in the public interest (Article 6(1)(e) DSGVO) In addition, as a payment or e-money institution, we are subject to various legal obligations, i.e. legal requirements (e.g. Payment Services Supervision Act, Money Laundering Act, tax laws) as well as banking supervisory requirements (e.g. the Federal Financial Supervisory Authority BaFin). The purposes of processing include, among others, identity and age verification, fraud and money laundering prevention, the fulfillment of control and reporting obligations under tax law, and the assessment and management of risks within the company.
1.5 Who receives your data?
Within the company, access to your data is granted to those departments that need it to fulfill our contractual and legal obligations. Service providers and vicarious agents employed by us may also receive data for these purposes if they comply with data secrecy and our written instructions under data protection law. These are essentially companies from the categories listed below.
With regard to the transfer of data to recipients outside the responsible bodies, it should be noted that as a payment or e-money institution we are obliged to maintain confidentiality about all customer-related facts and evaluations of which we become aware. We may only pass on information about you if this is required by law, if you have given your consent, if we are authorized to provide banking information and/or if the processors we have commissioned guarantee compliance with banking secrecy and the requirements of the EU General Data Protection Regulation/Federal Data Protection Act in the same way. Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions (e.g. Deutsche Bundesbank, Federal Financial Supervisory Authority, European Banking Authority, European Central Bank, tax authorities, Federal Central Tax Office) if there is a legal or regulatory obligation.
- Other credit and financial services institutions, comparable institutions and contract processors to whom we transmit personal data in order to carry out the business relationship with you.
In detail: Processing of bank information, support/maintenance of EDP/IT applications, archiving, document processing, compliance services, securing of payment releases, controlling, data screening for anti-money laundering purposes, data destruction, recovery, payment card processing, customer administration, telephony, website management, payment transactions. Other data recipients may be those entities for which you have given your consent to data transfer or for which you have released us from banking secrecy pursuant to agreement or consent.
1.6 Will data be transferred to a third country?
Data is only transferred to countries outside the EU or the EEA (so-called third countries) if this is necessary to execute your orders (e.g. payment orders) or is required by law.
1.7 What rights do you have regarding your data?
You have the right at any time to receive information free of charge about the origin, recipient and purpose of your stored personal data. You also have a right to request the correction, restriction or deletion of this data. For this purpose, as well as for further questions on the subject of data protection, you can contact us at any time at the address given in the imprint. Furthermore, you have the right to lodge a complaint with the competent supervisory authority.
1.8 Analysis tools and third-party tools
2 General notes and mandatory information
2.1 Data protection
2.2 Revocation of your consent to data processing
Many data processing operations are only possible with your express consent. You can revoke an already given consent at any time. For this purpose, an informal communication by eMail to us is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
2.3 Right to complain to the competent supervisory authority
In the event of violations of data protection law, the data subject has a right of appeal to the competent supervisory authority. The competent supervisory authority in matters of data protection law is:
Saxon Data Protection Commissioner
Devrient Street 5
Telephone: 0351/85471 101
Fax: 0351/85471 109
2.4 TLS Encryption
The app uses TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or requests that you send to us as the app operator.
2.5 Information, restriction, deletion
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of data processing and, if applicable, a right to correction, restriction or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time at the address given above.
2.6 Right to data portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you request direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
3. data processing in the app
3.1 Data processing during registration and subsequent card use
Users can register and create a user account in the process. The data entered during registration is used for the purposes of using the service.
We collect, process and use personal data only to the extent that they are necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b DSGVO, which permits the processing of data for the fulfillment of a contract or pre-contractual measures, as well as on the basis of Art. 6 para. 1 lit. c DSGVO, which makes the processing necessary for the fulfillment of a legal obligation to which the responsible party is subject. We collect, process and use personal data about the use of our website (usage data) only to the extent necessary to enable the user to use the service.
The collected customer data will be deleted after completion of the order or termination of the business relationship. It is the responsibility of users to back up their data before the end of the contract in the event of termination. We are entitled to irretrievably delete all user data stored during the term of the contract if this does not conflict with statutory retention periods. Statutory retention periods remain unaffected by this. If data is retained as evidence, it is subject to the limitation periods of the German Civil Code (BGB) §§195ff. and can last up to 30 years, with the regular limitation period being three years. IP addresses are deleted after 90 days at the latest.
In principle, this data is not passed on to third parties, unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with Art. 6 Para. 1 lit. c DSGVO.
In order to use the service, we may collect the following data from you:
- First and last name
- Date of birth
- ID card data
- eMail address
- Mobile phone number
- PEP and SIP status
- IP address at the time of registration
- IP address of login
- Card turnover
- Communication data for managing your cards via the secupay AG interface
3.2 Server log files
secupay or automatically collects and stores information from the app in so-called server log files. The following information is transmitted to us by the app:
- App name and version
- operating system used
- Device model
- referrer URL
- Host name of the mobile device
- Time of server request
- IP address
- Language and region
This data is not merged with other data sources. The basis for data processing is Art. 6 (1) lit. f DSGVO, which permits the processing of data to protect legitimate interests. We use this data both to operate and improve the app and for fraud prevention. Deletion of the data takes place automatically after 90 days at the latest.
3.3 Access rights of the app
The app can request the following access rights, which are classified as critical. These access rights can be defined individually and separately by the customer.
- Network connections Required for the App to be fully functional and to transmit and receive data.
- Background update Required by Apple Services, specifically for push notifications.
- Messages Required to receive messages, in this case push notifications.
In order to enable the use of the app, the app can also request other, non-critical, permissions in addition to those listed here.
3.4 Use of Apple Pay
If you activate and use Apple Pay, you agree that we authorize Mastercard or VISA to transmit data to Apple for payment processing.
The following data will be transmitted:
- First name Last name
- Expiration date
This data is transmitted to Apple in encrypted form. Apple decrypts the data, determines the card's payment network, and re-encrypts the data with a key that can only be decrypted by the payment network. Apple retains anonymized transaction data, including the approximate purchase amount, the name of the app developer and the app, the approximate date and time, and whether the transaction was completed successfully.
The transfer of your data to Apple is based on Art. 6 (1) lit.b DSGVO (processing for the performance of a contract).
3.5 Use of Google Pay
By enabling and using the widget for Google Pay, you agree that we authorize Mastercard to transmit data to Google LLC for payment processing.
The following data will be transmitted:
- Phone number
- Sales data (e.g. merchant name, location, amount).
The transmission of your data to Google is based on Art. 6 (1) lit. b DSGVO (processing for the performance of a contract).
4. push notification
When using our app, we may contact you with push notifications about new promotions, coupons and personal offers. For the further development of our offer and statistical purposes, we record when and how often a push notification is opened. We collect this information pseudonymously. Of course, you can unsubscribe from push messages at any time in the app settings. The sending of push notifications is based on our legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f) DSGVO.
Only the German version of the following regulations is legally binding. If a translation is provided, it is for information purposes only.