Effective date:
January 1, 2023
Last modified date:
This Privacy Policy applies to information found on Mazepay’s websites, to your use of the services made publicly available as well as any solutions delivered in the Mazepay application. This Privacy Policy covers the following domains and sub-domains:
The purpose of this Privacy Policy is to inform you on how Mazepay collects, uses, and protects personal information as it applies on the individual websites.
Mazepay A/S will take all steps reasonably necessary to ensure that your data is handled securely and in accordance with this Privacy Policy and that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information.
We collect and process your Personal Data on our website to improve the experience for visitors and share relevant material.
When you visit Mazepay’s website, we may collect basic session information including IP-address, referrer, device and browser characteristics, and timestamp.
If you choose to interact with the communication technologies available on our website, we may collect additional information directly from you including, but not limited to, your name, email, professional position, phone number, and company.
The purpose for collecting and processing this data is to provide our services and information on our website, to confirm your identity and verify your personal and contact details and to analyse and optimise website traffic. The legal basis for the processing is to comply with applicable laws and pursue the legitimate interests of Mazepay.
Anonymous use of Mazepay’s website (www.mazepay.com)
Please note that you can always use Mazepay’s website without providing personal information. This is done by you when selecting cookies and where you do choose not to share your personal information in forms and similar (see our Cookie Policy for further information). Mazepay does not automatically link individual personal information obtained with technical information (e.g. IP-address) to identify visitors.
Mazepay acts as the data controller when collecting the information during your visit to www.mazepay.com. Mazepay does not share any collected, personal data with any 3rd party for commercial purposes. Mazepay uses sub-processors in accordance with the sub-processor documentation.
Mazepay stores the data up to 24 months after the last visit.
Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your country where the data protection laws may differ from those in your jurisdiction. If you are located outside Denmark or the EEA/EU and choose to provide information to us, please note that we transfer the data, including Personal Data, to our sub-processors as set out in the sub-processor documentation linked above.
We collect and process information about you to provide the Mazepay service, to enable identification of individual users for compliance with the employer’s implementation of the Mazepay service, and to ensure compliance with applicable regulations including strong customer authentication requirements as set out in the Payment Service Directive 2.
When you use different functionalities of the Mazepay services, we may collect and process the following information directly from you, your employer, or your employer’s official representatives:
The legal basis for collecting and processing this data is the contractual agreement your employer has entered or is considering entering into a contract with us regarding the use of Mazepay services which requires us to process the data in order to perform our obligations under the contract.
Further basis for collecting and processing these data is to comply with the legal obligations to ensure compliance with applicable regulations including but not limited to:
The legal basis for collecting and processing data about you when you use the Mazepay services is Mazepay’s legitimate interest to develop the services, including strengthening IT security measures, preventing unauthorised access to and loss of sensitive and personal information, and to improve the overall user experience for Mazepay’s services. In this context, we ensure to only collect and process your personal information if our interest overrides your interest and your rights are not adversely affected by our processing.
Mazepay acts as the data processor where the personal information is received from the individual’s employer. The employer who signs up to use the Mazepay services must have relevant legal terms in place with the individual employee to ensure the lawfulness of processing the Personal Data.
Mazepay acts as the data controller when you use the Mazepay service to ensure compliance regulatory requirements (e.g. Payment Service Directive 2). Mazepay further acts as a joint data controller in exchange of information with the associated corporate card issuing partner in order to continuously ensure that the identity and use of the Mazepay and issuing partner services happen in accordance with applicable legislation. Mazepay uses sub-processors in accordance with the sub-processor documentation as linked below.
We retain your data for as long as necessary for the purpose for which the data has been collected and is being processed. When your employer terminates a contract to deliver the Mazepay services, we usually store your personal information for an additional 7 years. This is done in order to comply with the regulatory requirements as set out in the applicable legislations as mentioned above or the Danish Financial Supervisory Authority’s requirements.
Your information, including Personal Data, may be transferred to - and maintained on - computers located outside of your country where the data protection laws may differ from those in your jurisdiction. If you are located outside Denmark or the EEA/EU and choose to provide information to us, please note that we transfer the data, including Personal Data, to our sub-processors as set out in the sub-processor documentation linked.
Mazepay uses sub-processors in accordance with the sub-processor documentation.
Mazepay always processes Personal Data in accordance with applicable laws and regulations, and we have implemented appropriate technical and organisational security measures to prevent that your Personal Data is used for non-legitimate purposes or disclosed to unauthorised 3rd parties and otherwise protected from misuse, loss, alteration or destruction. The technical and organisational measures that we have implemented are designed to ensure a level of security appropriate to the risks that are associated with our data processing activities, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data including access control to premises, facilities, systems and data, disclosure control, input control, job control, availability control and segregation control.
Mazepay is subject to PCI-DSS self-assessment requirements and is therefore obligated to adhere to all the requirements stated by the PCI Security Standards Council. To get more information about the different requirements of the PCI Security Standards Council please read more here: https://www.pcisecuritystandards.org.
Mazepay may use profiling in our work to combat money laundering, to detect and minimise the risk of fraud, and for identity validation.
Mazepay may automate decision-making based on the information collected about you in order to prevent fraud and ensure compliance with applicable legislation.
You have a range of important rights under EU law regarding your Personal Data. There are exceptions to these rights related to your employer’s contractual agreement with Mazepay, so access may be denied when we are legally prevented from making a disclosure.
You have the right to access the personal information that we have collected including origination and purpose for which the information is processed. Your right to access may be limited by legislation or the information may be subject to an exemption from the right of access including but not limited to the overriding interest of another data subject, public interest and national defence, or safeguarding of our business secrets and practices.
You have the right - under certain circumstances - to object to our processing of your Personal Data. This could be, for instance, where the processing is based on our legitimate interest.
In case that the Personal Data collected is inaccurate, you have the right to rectify the data stored and processed. In case that the data is incomplete, you have the right to have the data completed. Such rectification may require that you provide additional or validated data.
You have a right to have your data erased in cases where purpose of the collection of the data has expired. However, Mazepay may be required to retain such Personal Data in accordance with applicable legislation, regulations or supervisory authorities guidance, or for the purpose of preparing, defending against, or exercising a legal claim.
In the case that you have object, requested rectification, or erasure, you have the right to demand that we restrict the processing of the data to storage. Such restriction to store data will only be limited until the accuracy is verified or it was identified if your interest supersedes our interest or legal obligations.
You may retract your consent for Mazepay’s processing of your Personal Data at any time. In case that you retract your consent, we may not be able to offer you access to the Mazepay’s services or the services that your employer has entered into a contract for Mazepay to deliver.
Please note that Mazepay may continue to process your Personal Data based on, but not limited to, contractual obligations with your employer, our obligation to comply with applicable law, and similar.
Our Service may contain links to other sites that are not operated by us. If you click a 3rd party link, you will be directed to that 3rd party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and we assume no responsibility for the content, Privacy Policies, or practices of any 3rd party sites or services.
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
If you wish to exercise your rights within applicable legislation for insight into the data stored, objection, correction or erasure, or you have any questions about this Privacy Policy, Cookies or GDPR, please contact us by email at dpo@mazepay.com.
Appendix A contains the general terms and conditions for the use of the Mazepay platform where we address common legal terms including liability, confidentiality, etc.
Appendix B contains the payment service-related terms and conditions which Mazepay applies as a licensed payment institute subject to the supervision of the Danish Financial Supervisory Authority with a passported license in 30 countries.
Mazepay’s Data Processing Agreement (which complies with the GDPR requirements) with annexes describing the safeguarding measures applied to personal data and data processing.
Appendix D is Mazepay’s list of service providers supporting our solution technically and enabling our processes. The service providers in the list are all identified potential sub-processors of personal data processed under the agreement.
Appendix E is a description of the work carried out by Mazepay and the responsibilities of Mazepay and you as the customer respectively. Appendix E also works as the instruction under which Mazepay operationally processes personal data exchanged under the agreement.
Mazepay outlines the requirements and shares the endeavour to meet the high sustainability standards as well as to form fair and ethical relationships with key stakeholders (collectively known as “Business Partners”).