Last updated: May 22, 2018
In accordance with our commitment to protect personal privacy, SpicePay adheres to the principles of the EU General Data Protection Regulation. More information can be found at www.eugdpr.org.
Throughout this policy, we use the term “personal information” to describe information that can be associated with a specific person and can be used to identify that person. We do not consider personal information to include information that has been aggregated and/or anonymized so that it does not identify a specific user.
There are four types of users whose personal information we may process:
Visitors to our website;
Merchants that sign up for our Services;
Shoppers who indirectly interface with SpicePay when paying a merchant’s invoice during the checkout process, an operation facilitated by SpicePay’s software platform;
Users who use the SpicePay wallet to store, send and receive digital funds, namely Bitcoin;
We do not collect any personally identifiable information from children under the age of 18. If you believe that a child under the age 18 has provided us with personally identifiable information, please contact our customer support.
This Policy only applies to information we process. It does not apply to the practices of companies that we don’t own or control, or employees that we don’t manage. Information on our services’ may contain links to third party websites, and any information you provide to those sites will be covered by any privacy policies they may have. Please be sure to read the privacy policies of any third-party sites you visit. It is those sites’ responsibility to protect any information you give them, so we can’t be held liable for their wrongful use of your personally identifying information.
We may update this policy from time to time and will notify you of changes to this policy affecting your rights by email and/or by posting on our website at www.spicepay.com.
2. Your Personal Data and How We Use It
In this Section we will describe the purposes for which we may process personal data and the general categories of personal data we may process.
Our primary purpose for collecting personal information is to provide you with a secure, smooth, efficient, and customized experience. In that regard, we may use your personal information to:
provide the services and customer support you request;
process transactions and send notifications to inform you of the transaction status;
resolve disputes, collect fees, and troubleshoot problems;
prevent potentially fraudulent, prohibited or illegal activities, and enforce our User Agreement;
customize, measure, and improve our services and the content and layout of our website;
send you updates about new products and services that we are offering;
compare information for accuracy and verify it with third parties; and perform other duties as required by law.
The information we collect depends on the type of user and can categorized in one or more of the following categories.
We may process your visitor data (”visitor data”). Visitor data may include standard web log information, such as: IP address, browser type, operating system, pages accessed on our website, date and time the website was accessed. We may collect this information for fraud prevention purposes and to be able to better assist with any visitor inquiries.
We may process your registration data (“registration data”). Registration data may include your username and email address. Registration data is required in order for you to be able to use the SpicePay services.
We may process your account data (“account data”). Account data may include your full name, email address, username, country, telephone number, bank account, VAT number, PayPal account information, etc. The account data may be processed for the purposes of providing our services, ensuring the security of our users and services, and communicating with you.
We may process your identity documents (“ID data”). Verifying account with an ID and company registration documents is currently mandatory to all merchants. ID may contain your full name, country, date of birth, document expiration date. Company registration documents may contain your company’s name and address, identification number, company type and company officer’s full name and date of birth, etc. The purpose for ID data is to verify the identity of the account holder and prevent, detect and investigate fraud, money laundering, criminal activity or other misuse of our service. ID data creates a strong assumption about the ownership of the account and thus ensures that we can return access to your account in case your account is hacked or temporary frozen.
We may process your address documents (“address data”). Verifying account with a document confirming current residence or company location is mandatory to all merchants. Address documents, such as bank, tax or utility statements, may contain your full name, company name and address, along with additional sensitive personal information that the user is encouraged to prevent displaying or avoid supplying. The address data is used for risk-management purposes.
We may process data about your use of our website and services (“usage data”). Usage data is primarily non-personally-identifying information of the sort that web browsers, servers, and services like Google Analytics typically make available, such as the browser type, language preference, referring site, and the time of each visit. Other non-identifying information that we might have access to includes how you use the service (e.g. search queries), your approximate location, cookies set by our site, etc. Usage data may be collected for behavior statistics, business intelligence and email campaigns (“analytics data”) or for technical, security and/or fraud prevention reasons or for tracking errors (“technical data”).
We may process data relating to digital currency transactions in and out of your bitcoin wallet (“transaction data”). Information stored on received transactions may include timestamp, transaction amount, deposit address and transaction ID and other publicly available data from the bitcoin blockchain. Withdrawal transactions may include data such as timestamp, transaction amount, withdrawal method, sent address, transaction ID, and description. The purpose of the transaction data is to help SpicePay provide the services and customer support you request; resolve disputes and troubleshoot problems; perform risk management.
We may process information contained in or relating to any communication that you send to us or what you generate through the use of our service (“communication data”). Communication data includes 1) all your messages, requests and other communication with our customer support which may happen via support tickets, emails, or by means of any other communication tool. Communication data may include, email address, username, IP address, full name, audio and video files and in the case of manual ID verification: photo of the user’s personal ID, photo of the user, and photo of the user’s bank statement/utility bill or related document. The communication data may be processed for the purposes of communicating with you, record-keeping, in order to review and resolve disputes, support our customer needs and improve our service.
We may process information that you provide to us for the purpose of subscribing to our email notifications, SMS verification and/or newsletters (“notification data”). The notification data may include your email address, phone number, username and full name. The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters.
We may process information provided by the customers of our merchants clients (“merchant’s customer data”). When a customer wishes to pay an invoice created by a SpicePay merchant, the customer may be requested to provide full name and an e-mail address. This information may be necessary for the communication with the customer regarding the various payment processing steps and for help with troubleshooting and dispute resolution.
We may process any of your personal data when necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or outside the court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.
In addition to the specific purposes for which we may process your personal data set out in this Section 2, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
3. Providing Your Personal Data to Others
In this Section 3 we will detail the external services (“processors”) that we use for processing personal data on behalf of us and the types of personal data that processors may process.
For behavior statistics and business intelligence we use the service by Google LLC (“Google Analytics”), a company located in the United States. Data that we may provide to Google Analytics may include your IP address and is used by Google Analytics to generate information about your usage of our service.
For processing notification data and delivering SMS messages to users, we use the services by Nexmo Inc (”Nexmo”), a company located in the United States.
For processing communication data, we use the service by Olark (“Olark”), a company located in the United States. Communication data may include IP address, country, pages visited, e-mail address, website or company affiliation.
For processing of transaction data and the support and security of the SpicePay wallet, we use the services by BitGo (“BitGo”), a company located in the United States. Data that we may provide to BitGo is primarily non-personally-identifying information and may include usage and transaction information.
For processing of notification and communication data, we use the services of Mailgun Technologies Inc. (“Mailgun”), a company located in the United States. Data we may provide includes e-mail address and any other information the user chooses to disclose in an e-mail communication with our support team.
For the issuance and support of the SpicePay debit card, we used the services of third-party e-money issuer WaveCrest Holding Limited (“WaveCrest”), a company located in Gibraltar. While we no longer offer the SpicePay debit card, data our clients may have provided as part of an application process includes full name, e-mail address and residential address.
SpicePay uses a third-party application embedded to our site. It is a service operated by Simplex Payment Services Limited (“Simplex”), a company located in the United Kingdom. Simplex provides SpicePay’s end users an option to transfer monetary deposits for the payment of merchant invoices in cryptocurrency. Data that users may provide includes Bitcoin or Bitcoin Cash address, full name, address, credit card information and is thus processed by Simplex. Our contract with Simplex dictates that the processor can use your information only in connection with the services performed for us and never for their own benefit.
In addition to the specific disclosures of personal data set out in this Section 3, we may also disclose your personal data to:
auditors, lawyers, accountants, consultants and other professional advisors when reasonably necessary for the purposes of obtaining professional advice or managing legal disputes and risks.
law enforcement, government officials, or other third parties if SpicePay is compelled to do so by a subpoena, court order or similar legal procedure, when it is necessary to do so to comply with law, or where the disclosure of personal information is reasonably necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of the SpicePay User Agreement, or as otherwise required by law.
service providers under contract who help with parts of our business operations (for example, fraud prevention, payment processing, or technology services). Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own benefit. Please note that these third parties may be in other countries where the laws on processing personal information may be less stringent than in your country.
SpicePay’s website may contain links to other third-party websites. SpicePay does not control the information collection of third-party websites that can be reached through links from the website. We encourage our users to be aware when they are leaving the website and to read the privacy statements of any third-party website that collects personally identifiable information.
4. International Transfers of Your Personal Data
We store your information primarily within the European Economic Area. However, some features and requirements of the service, may involve transferring your information to third-party service providers outside the European Economic Area. We have described all those service providers above in Section 3. Where such service providers are not established in a country ensuring an adequate level of protection within the meaning of Regulation (EU) 2016/679, such as the United States, the transfers will be covered by the standard data protection clauses adopted by the European Commission or by another appropriate safeguard mechanism such as the Privacy Shield Framework.
5. Protection and Storage of Your Personal Information
We store and process your personal information using third party servers located in data centers in the European Economic Area. This information is protected by physical, electronic and procedural safeguards in compliance with applicable regulations.
We also use computer safeguards such as firewalls and data encryption, we enforce physical access controls to our office and files, and we authorize access to personal information only for those employees who require it to fulfill their job responsibilities.
We strive to ensure security on our systems. Despite our efforts, we cannot guarantee that personal information may not be accessed, disclosed, altered or destroyed by breach of our administrative, managerial and technical safeguards. Therefore, we urge you to take adequate precautions to protect your personal data as well, including never sharing your password with anyone.
If SpicePay learns of a systems security breach, we may attempt to notify you electronically so that you can take appropriate protective steps. By using the SpicePay Services, you agree that SpicePay may communicate with you electronically. We may post a notice on the website or send you an e-mail notification if a security breach occurs.
6. Access and Changes to Your Personal Information
You can review your name, phone number, email address, bank information and PayPal account information at any time by logging in to your account and reviewing your personal information in the Settings area of your Dashboard.
If you wish to update your personal information or change the information relating to your industry or company website, you can send a request to email@example.com.
7. Retaining and Deleting Personal Data
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Users may request the deletion of their account through our site.
We will retain and delete your personal data as follows:
For all users who have deleted their account:
Personally-identifiable analytics data is removed 14 days after account deletion.
Notification data is not generally stored by our processors but they may retain activity logs for a short period of time.
For users who have not conducted or initiated any cryptocurrency transactions using their wallet, we will delete all personal data immediately after the approval of your account deletion request.
For users who have initiated cryptocurrency transaction using their wallet and whose account deletion request has been approved by us, our data deletion policy is the following:
Your registration data, account data, ID data, trade data and technical data will be deleted 5 years after you delete your account.
Cryptocurrency transaction data from our internal systems will be removed 5 years after you delete your account, with the exception of publicly available information on the bitcoin blockchain.
Users can request that their account is reinstated within 48 hours after the submission of the deletion request. From that point on, account restoration would not be possible.
In some cases it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the period we need to access the data for the provision of services, receiving payment, resolving your customer support issue or other issues or for any other auditing or legal reasons.
Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.
8. Your Rights
In this Section 7, we detail the principal rights that you have under the data protection law. Some of the rights are complex, might contain restrictions depending on the legal basis for processing the data and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights. Please find the complete text of the regulations here: www.eugdpr.org.
Your principal rights under data protection law are:
(a) the right to access;
You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. You can ask for your personal data by contacting our customer support.
(b) the right to rectification;
You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
(c) the right to erasure;
You have the right to the erasure of your personal data. We have described our policy for retaining and deleting personal data above in Section 6.
(d) the right to object to processing;
You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defense of legal claims.
(e) the right to data portability;
To the extent that the legal basis for our processing of your personal data is consent, and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
(f) the right to complain to a supervisory authority;
If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
(g) the right to withdraw consent.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
Without prejudice to the aforementioned, if we have reasonable doubts concerning the identity of a user exercising his/her rights referred to in this section or if we otherwise due to security reasons deem it necessary, we may request the provision of additional information and otherwise use all reasonable measures necessary to confirm the identity of the user.
You may exercise any of your rights in relation to your personal data by contacting our customer support. Concerning “Right to erasure” users are also able to request the deletion of their account through our site.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain any information that personally identifies a user, but personal information that we may store about you may be linked to the information stored in and obtained from cookies.
We use “session” cookies when you are logged in so that we can remember this fact. That way we don’t have to ask you to re-enter your password every time you visit a new page. Once you logout or close your browser, this cookie expires and no longer has any effect.
We also use “persistent” cookies for other purposes such as to display your e-mail address on our login page, so that you don’t need to retype the e-mail address each time you log in to your account.
When you submit data through a form such as those found on contact pages, cookies may be set to remember your user details for future correspondence. In order to provide you with a great user experience, we provide the functionality to set your preferences for how this site runs when you use it. In order to remember your preferences we need to set cookies so that this information can be called whenever you interact with a page that is affected by your preferences.
We also use Local Shared Objects, commonly referred to as “Flash cookies,” to help ensure that your account security is not compromised, to spot irregularities in behavior to help prevent fraud, and to support our sites and services.
We run an affiliate program and provide our affiliates the opportunity to advertise our site and services. With the affiliate program we use tracking cookies to track users who visit our site through one of our affiliate partner sites in order to credit them appropriately, and where applicable, allow our affiliate partners to provide you any bonus for making a purchase.
For more information on cookies and how to opt-out of them, please visit the following third party website: http://youronlinechoices.eu
10. How to Contact Us