1. General information
SIA GR8 PAY, registration No. 50203643321 (hereinafter – the Company), operates as a provider of electronic money and payment services. The purpose of this Privacy Policy (hereinafter - the Privacy Policy) is to explain how the Company processes the data of natural persons, including to inform about the purposes of personal data processing, the applicable legal basis, the scope and duration of processing, as well as about the rights of the data subject and the procedures for their implementation.
The Company processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter - the Regulation), as well as in compliance with other applicable laws and regulations of the European Union and the Republic of Latvia and recognized principles of good practice. The processing of personal data is carried out ensuring confidentiality and introducing appropriate organizational and technical measures to protect data security.
In order to ensure that data subjects always have access to up-to-date information on the processing of personal data, the Company regularly evaluates and, if necessary, updates the Privacy Policy in accordance with the requirements of regulatory enactments. We invite you to periodically get acquainted with the latest version of the Privacy Policy on the Company's website https://gr8.money/.
2. Personal data processing controller
SIA GR8 PAY, registration No. 50203643321, legal address: Marupes nov., Marupe, Malduguņu street 2, LV-2167
Telephone number for communication on data processing issues: +371 28644544
E-mail for communication on data processing issues: info@gr8.money
3. Scope of application of the Privacy Policy
The Privacy Policy is applicable to all natural persons whose personal data is processed by the Company, including (but not limited to) the Company's customers, potential customers, users of the application and website, recipients and payers of payment services, authorized persons, merchant representatives, as well as cooperation partners.
This Privacy Policy applies to the processing of personal data regardless of the type, form or communication channel through which personal data are transferred to the Company, including in person, in writing, on paper, by post, by telephone, electronically or using the Company's website.
4. Data processed by the Company, justification, purpose and other information (see Annex for more details)
We collect and process the following information:
We only process personal data if there is an appropriate legal basis for the processing in accordance with the Regulation:
Payment Services Directive (PSD2) and third-party access: If you grant access to an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP), we only transfer the necessary data subject to PSD2 and Strong Customer Authentication (SCA) requirements.
We also process data of persons involved in the payment chain (e.g. payee's name/account). We receive this data from banks/networks, and the processing is based on the performance of legal obligations and the contract, the processing is carried out in strict compliance with the requirements of the Law on Payment Services and Electronic Money, PSD2 and the Regulation.
5. Automated decision-making and profiling
We use automated transaction monitoring to detect fraud and ML/TPF risks. Our automated fraud/ML/MTPF detection tools use signs of unusual transactions (e.g. amount, frequency, geography) to identify risk. Possible consequences: temporary suspension of transactions or request for additional identification. You always have the right to request a review of the automated decision, an explanation of it and/or to challenge the decision.
6. Disclosure/transfer of data
We may disclose/transfer your data to the following data recipients:
7. Data transfers outside the EU/EEC
If your data is transferred outside the European Union (EU) or the European Economic Area (EEA), we use the European Commission's Standard Contractual Clauses (SCC) or other mechanisms, as well as provide additional technical and organisational security measures.
8. Data retention periods
9. Cookies
We use the necessary cookies to provide the service and (with your consent) analytics and marketing cookies. Cookie settings can be changed at any time.
10. Your rights
You have the right to: access, rectify, delete, restrict processing, object, use data portability, as well as the right not to be the subject of an automated decision based on your written request:
Your request must be in writing, signed with a personal signature, or in the form of an electronic document signed with a secure electronic signature.
We will respond to the request without undue delay and in compliance with the deadlines specified in regulatory enactments, if any, but not later than within one month from the moment of receipt of the request.
We have the right to extend the deadline for replying by two months, informing us of the reasons for the extension, taking into account the volume of the request. A response to the request will be provided, taking into account, as far as possible, the preferred way of receiving the response specified by you.
11. Data security
We use appropriate technical and organizational measures: SCA (Strong Customer Authentication), encryption, access control, log monitoring, pseudonymization and supplier management.
Security management is implemented in accordance with the Information and Communication Technology (ICT) and security risk guidelines of the European Banking Authority (EBA), as well as the requirements of the Digital Operational Resilience Act (DORA) (incident management, resilience testing, third-party monitoring).
12. Receiving additional information and submitting complaints about data processing
In matters related to the processing of your personal data (including to provide feedback, raise objections to personal data processing processes, make requests), as well as if you believe that your right to personal data protection has been violated by us during the processing of your personal data, please contact us:
SIA GR8 PAY, registration No. 50203643321, legal address: Marupes nov., Marupe, Malduguņu street 2, LV-2167
Telephone number for communication on data processing issues: +371 28644544
E-mail for communication on data processing issues: info@gr8.money
In case you are not satisfied with the answer received, you have the right to submit a complaint to the Data State Inspectorate (address: Elijas street 17, Riga, LV-1050; e-mail: pasts@dvi.gov.lv; phone: +371 67223131).
SIA GR8 PAY, registration No. 50203643321 (hereinafter – the Company), operates as a provider of electronic money and payment services. The purpose of this Privacy Policy (hereinafter - the Privacy Policy) is to explain how the Company processes the data of natural persons, including to inform about the purposes of personal data processing, the applicable legal basis, the scope and duration of processing, as well as about the rights of the data subject and the procedures for their implementation.
The Company processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter - the Regulation), as well as in compliance with other applicable laws and regulations of the European Union and the Republic of Latvia and recognized principles of good practice. The processing of personal data is carried out ensuring confidentiality and introducing appropriate organizational and technical measures to protect data security.
In order to ensure that data subjects always have access to up-to-date information on the processing of personal data, the Company regularly evaluates and, if necessary, updates the Privacy Policy in accordance with the requirements of regulatory enactments. We invite you to periodically get acquainted with the latest version of the Privacy Policy on the Company's website https://gr8.money/.
2. Personal data processing controller
SIA GR8 PAY, registration No. 50203643321, legal address: Marupes nov., Marupe, Malduguņu street 2, LV-2167
Telephone number for communication on data processing issues: +371 28644544
E-mail for communication on data processing issues: info@gr8.money
3. Scope of application of the Privacy Policy
The Privacy Policy is applicable to all natural persons whose personal data is processed by the Company, including (but not limited to) the Company's customers, potential customers, users of the application and website, recipients and payers of payment services, authorized persons, merchant representatives, as well as cooperation partners.
This Privacy Policy applies to the processing of personal data regardless of the type, form or communication channel through which personal data are transferred to the Company, including in person, in writing, on paper, by post, by telephone, electronically or using the Company's website.
4. Data processed by the Company, justification, purpose and other information (see Annex for more details)
We collect and process the following information:
- Identification and KYC /KYP (Know Your Customer as well as Know Your Partner) data: name, surname, personal identification number, copies of documents, proof of address, PEP (politically exposed person) and sanctions checks, video identification data, biometric data (if allowed by law);
- Contact information: phone, e-mail, address;
- Account and transaction data: payment history, amounts, recipients, card transaction information;
- Devices and technical data: IP address, app events, logs;
- Communication data: correspondence, chats, recordings;
- Marketing settings and cookies.
We only process personal data if there is an appropriate legal basis for the processing in accordance with the Regulation:
- Performance of the contract (Regulation 6(1)(b)): account maintenance, execution of payments;
- Fulfilment of legal obligations (Regulation 6(1)(c)): prevention of money laundering, terrorism and proliferation financing (AML/CTPF), sanctions, requirements of the Payment Services and Electronic Money Act and the Payment Services Directive (Payment Services Directive 2 – PSD2), tax accounting;
- Legitimate interest (Regulation 6(1)(f)): security, fraud prevention, IT security, improvement of service quality.
- Consent (Regulation 6(1)(a)): marketing, cookies, biometric solutions.
Payment Services Directive (PSD2) and third-party access: If you grant access to an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP), we only transfer the necessary data subject to PSD2 and Strong Customer Authentication (SCA) requirements.
We also process data of persons involved in the payment chain (e.g. payee's name/account). We receive this data from banks/networks, and the processing is based on the performance of legal obligations and the contract, the processing is carried out in strict compliance with the requirements of the Law on Payment Services and Electronic Money, PSD2 and the Regulation.
5. Automated decision-making and profiling
We use automated transaction monitoring to detect fraud and ML/TPF risks. Our automated fraud/ML/MTPF detection tools use signs of unusual transactions (e.g. amount, frequency, geography) to identify risk. Possible consequences: temporary suspension of transactions or request for additional identification. You always have the right to request a review of the automated decision, an explanation of it and/or to challenge the decision.
6. Disclosure/transfer of data
We may disclose/transfer your data to the following data recipients:
- Service providers and processors (hosting, IT security, KYC services, customer support);
- Financial partners (banks, card schemes, payment networks);
- Traders (if necessary for the execution of the transaction);
- Group companies;
- Supervisory and state authorities (Bank of Latvia, DVI, Financial Intelligence Service – FID, courts, law enforcement agencies);
- Third parties at your request (AISP, PISP);
- Credit information offices.
7. Data transfers outside the EU/EEC
If your data is transferred outside the European Union (EU) or the European Economic Area (EEA), we use the European Commission's Standard Contractual Clauses (SCC) or other mechanisms, as well as provide additional technical and organisational security measures.
8. Data retention periods
- KYC/AML/CTPF documents – 5 years after the termination of the relationship, possible extension up to 10 years at the request of the competent authority;
- Accounting documents – up to 10 years in accordance with the Accounting Law;
- Security/audit logs – at least 1 year or more, if it is required by regulatory enactments;
- Marketing data – until withdrawal of consent;
- Cookies – in accordance with our Cookie Policy.
9. Cookies
We use the necessary cookies to provide the service and (with your consent) analytics and marketing cookies. Cookie settings can be changed at any time.
10. Your rights
You have the right to: access, rectify, delete, restrict processing, object, use data portability, as well as the right not to be the subject of an automated decision based on your written request:
- Access to your personal data. You have the right to obtain confirmation from us as to whether your data is being processed, to access and receive the following information about your data: purposes of data processing; categories of personal data; recipients of personal data; the duration of storage of personal data or the criteria by which the duration of storage is determined.
- Rectification of your personal data. You have the right to request the correction of your data if you find that the information at our disposal about you is incorrect or incomplete (in compliance with the requirements for correction of errors specified in regulatory enactments).
- Deletion of your personal data. You have the right to request the erasure of your data if at least one of the following conditions is met: 1) the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; 2) You withdraw your consent to the processing of data and there is no other legal basis for their processing; 3) if the processing of data is justified by the observance of our legitimate interests or those of a third party, however, there is no overriding legitimate basis for the processing; 4) You object to the processing of your data for direct marketing purposes; 5) if the data have been processed unlawfully; 6) in order to ensure the fulfilment of a legal obligation specified for us in laws and regulations.
- Restriction of your personal data. You have the right to request that we restrict the processing of your personal data held by us.
- Object to the processing of your personal data. You have the right to object to the processing of your personal data based on the legitimate interests of the Company.
- Data portability – You have the right to receive or transfer your personal data to another data controller (so-called "data portability"). This right only includes data that you have provided to us on the basis of your consent or contract and in cases where the processing is carried out by automated means.
Your request must be in writing, signed with a personal signature, or in the form of an electronic document signed with a secure electronic signature.
We will respond to the request without undue delay and in compliance with the deadlines specified in regulatory enactments, if any, but not later than within one month from the moment of receipt of the request.
We have the right to extend the deadline for replying by two months, informing us of the reasons for the extension, taking into account the volume of the request. A response to the request will be provided, taking into account, as far as possible, the preferred way of receiving the response specified by you.
11. Data security
We use appropriate technical and organizational measures: SCA (Strong Customer Authentication), encryption, access control, log monitoring, pseudonymization and supplier management.
Security management is implemented in accordance with the Information and Communication Technology (ICT) and security risk guidelines of the European Banking Authority (EBA), as well as the requirements of the Digital Operational Resilience Act (DORA) (incident management, resilience testing, third-party monitoring).
12. Receiving additional information and submitting complaints about data processing
In matters related to the processing of your personal data (including to provide feedback, raise objections to personal data processing processes, make requests), as well as if you believe that your right to personal data protection has been violated by us during the processing of your personal data, please contact us:
SIA GR8 PAY, registration No. 50203643321, legal address: Marupes nov., Marupe, Malduguņu street 2, LV-2167
Telephone number for communication on data processing issues: +371 28644544
E-mail for communication on data processing issues: info@gr8.money
In case you are not satisfied with the answer received, you have the right to submit a complaint to the Data State Inspectorate (address: Elijas street 17, Riga, LV-1050; e-mail: pasts@dvi.gov.lv; phone: +371 67223131).