Privacy policy

Effective date:

January 1, 2023

Last modified date:

1. Purpose and Scope

This Privacy Policy applies to information found on Mazepay’s websites, to your use of the services made publicly available as well as any solutions delivered in the Mazepay application. This Privacy Policy covers the following domains and sub-domains:

www.mazepay.com

www.app.mazepay.com

The purpose of this Privacy Policy is to inform you on how Mazepay collects, uses, and protects personal information as it applies on the individual websites.

2. Processing of your Personal Data

Mazepay A/S will take all steps reasonably necessary to ensure that your data is handled securely and in accordance with this Privacy Policy and that no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information.

​​

2.1. Visit to the www.mazepay.com domain

2.1.1. How and why we use your Personal Data

We collect and process your Personal Data on our website to improve the experience for visitors and share relevant material.

2.1.2. Categories and types of data collected and received

When you visit Mazepay’s website, we may collect basic session information including IP-address, referrer, device and browser characteristics, and timestamp.

If you choose to interact with the communication technologies available on our website, we may collect additional information directly from you including, but not limited to, your name, email, professional position, phone number, and company.

The purpose for collecting and processing this data is to provide our services and information on our website, to confirm your identity and verify your personal and contact details and to analyse and optimise website traffic. The legal basis for the processing is to comply with applicable laws and pursue the legitimate interests of Mazepay.

Anonymous use of Mazepay’s website (www.mazepay.com)

Please note that you can always use Mazepay’s website without providing personal information. This is done by you when selecting cookies and where you do choose not to share your personal information in forms and similar (see our Cookie Policy for further information). Mazepay does not automatically link individual personal information obtained with technical information (e.g. IP-address) to identify visitors.

2.1.3. Sharing of Personal Data

Mazepay acts as the data controller when collecting the information during your visit to www.mazepay.com. Mazepay does not share any collected, personal data with any 3rd party for commercial purposes. Mazepay uses sub-processors in accordance with the sub-processor documentation.

2.1.4. Retention and transfers of data

Mazepay stores the data up to 24 months after the last visit.

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your country where the data protection laws may differ from those in your jurisdiction. If you are located outside Denmark or the EEA/EU and choose to provide information to us, please note that we transfer the data, including Personal Data, to our sub-processors as set out in the sub-processor documentation linked above.

2.2. Use of app.mazepay.com domain

2.2.1. How and why we use your Personal Data

We collect and process information about you to provide the Mazepay service, to enable identification of individual users for compliance with the employer’s implementation of the Mazepay service, and to ensure compliance with applicable regulations including strong customer authentication requirements as set out in the Payment Service Directive 2.

2.2.2. Categories of data collected and received

When you use different functionalities of the Mazepay services, we may collect and process the following information directly from you, your employer, or your employer’s official representatives:

  • IP-address, name, professional email, professional position, phone number, employer
  • Identity documentation, such as a photocopy of your passport, driver’s license and similar where required for Know-Your-Customer activities
  • User behaviour when interacting with app.mazepay.com
  • Location, if relevant
  • Account numbers and parts of payment card numbers

The legal basis for collecting and processing this data is the contractual agreement your employer has entered or is considering entering into a contract with us regarding the use of Mazepay services which requires us to process the data in order to perform our obligations under the contract.

Further basis for collecting and processing these data is to comply with the legal obligations to ensure compliance with applicable regulations including but not limited to:

  • The Danish Anti-Money Laundering Act (in Danish “Hvidvaskloven” or as applicable in any countries where we are licensed to operate)
  • The Danish Payments Act (in Danish “Lov om betalinger” or as applicable in any countries where we are licensed to operate)
  • The Danish Data Protection Act (in Danish “Databeskyttelsesloven”)

The legal basis for collecting and processing data about you when you use the Mazepay services is Mazepay’s legitimate interest to develop the services, including strengthening IT security measures, preventing unauthorised access to and loss of sensitive and personal information, and to improve the overall user experience for Mazepay’s services. In this context, we ensure to only collect and process your personal information if our interest overrides your interest and your rights are not adversely affected by our processing.

2.2.3. Sharing of Personal Data

Mazepay acts as the data processor where the personal information is received from the individual’s employer. The employer who signs up to use the Mazepay services must have relevant legal terms in place with the individual employee to ensure the lawfulness of processing the Personal Data.

Mazepay acts as the data controller when you use the Mazepay service to ensure compliance regulatory requirements (e.g. Payment Service Directive 2). Mazepay further acts as a joint data controller in exchange of information with the associated corporate card issuing partner in order to continuously ensure that the identity and use of the Mazepay and issuing partner services happen in accordance with applicable legislation. Mazepay uses sub-processors in accordance with the sub-processor documentation as linked below.

2.2.4. Retention and transfers of data

We retain your data for as long as necessary for the purpose for which the data has been collected and is being processed. When your employer terminates a contract to deliver the Mazepay services, we usually store your personal information for an additional 7 years. This is done in order to comply with the regulatory requirements as set out in the applicable legislations as mentioned above or the Danish Financial Supervisory Authority’s requirements.

Your information, including Personal Data, may be transferred to - and maintained on - computers located outside of your country where the data protection laws may differ from those in your jurisdiction. If you are located outside Denmark or the EEA/EU and choose to provide information to us, please note that we transfer the data, including Personal Data, to our sub-processors as set out in the sub-processor documentation linked.

Mazepay uses sub-processors in accordance with the sub-processor documentation.

 

2.3. Security and integrity

Mazepay always processes Personal Data in accordance with applicable laws and regulations, and we have implemented appropriate technical and organisational security measures to prevent that your Personal Data is used for non-legitimate purposes or disclosed to unauthorised 3rd parties and otherwise protected from misuse, loss, alteration or destruction. The technical and organisational measures that we have implemented are designed to ensure a level of security appropriate to the risks that are associated with our data processing activities, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to your personal data including access control to premises, facilities, systems and data, disclosure control, input control, job control, availability control and segregation control.

Mazepay is subject to PCI-DSS self-assessment requirements and is therefore obligated to adhere to all the requirements stated by the PCI Security Standards Council. To get more information about the different requirements of the PCI Security Standards Council please read more here: https://www.pcisecuritystandards.org.

2.4. Profiling and decision automation

2.4.1. Profiling

Mazepay may use profiling in our work to combat money laundering, to detect and minimise the risk of fraud, and for identity validation.

2.4.2. Decision automation

Mazepay may automate decision-making based on the information collected about you in order to prevent fraud and ensure compliance with applicable legislation.

2.5. Rights of the data subjects

You have a range of important rights under EU law regarding your Personal Data. There are exceptions to these rights related to your employer’s contractual agreement with Mazepay, so access may be denied when we are legally prevented from making a disclosure.

2.5.1. Right of access

You have the right to access the personal information that we have collected including origination and purpose for which the information is processed. Your right to access may be limited by legislation or the information may be subject to an exemption from the right of access including but not limited to the overriding interest of another data subject, public interest and national defence, or safeguarding of our business secrets and practices.

2.5.2. Right to object

You have the right - under certain circumstances - to object to our processing of your Personal Data. This could be, for instance, where the processing is based on our legitimate interest.

2.5.3. Right to rectification

In case that the Personal Data collected is inaccurate, you have the right to rectify the data stored and processed. In case that the data is incomplete, you have the right to have the data completed. Such rectification may require that you provide additional or validated data.

​​

2.5.4. Right to erasure

You have a right to have your data erased in cases where purpose of the collection of the data has expired. However, Mazepay may be required to retain such Personal Data in accordance with applicable legislation, regulations or supervisory authorities guidance, or for the purpose of preparing, defending against, or exercising a legal claim.

2.5.5. Right to restrict processing

In the case that you have object, requested rectification, or erasure, you have the right to demand that we restrict the processing of the data to storage. Such restriction to store data will only be limited until the accuracy is verified or it was identified if your interest supersedes our interest or legal obligations.

2.5.6. Withdrawal of consent

You may retract your consent for Mazepay’s processing of your Personal Data at any time. In case that you retract your consent, we may not be able to offer you access to the Mazepay’s services or the services that your employer has entered into a contract for Mazepay to deliver.

Please note that Mazepay may continue to process your Personal Data based on, but not limited to, contractual obligations with your employer, our obligation to comply with applicable law, and similar.

2.6. Links to other Sites

Our Service may contain links to other sites that are not operated by us. If you click a 3rd party link, you will be directed to that 3rd party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and we assume no responsibility for the content, Privacy Policies, or practices of any 3rd party sites or services.

3. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

4. Contact us

If you wish to exercise your rights within applicable legislation for insight into the data stored, objection, correction or erasure, or you have any questions about this Privacy Policy, Cookies or GDPR, please contact us by email at dpo@mazepay.com.

Country
Local registry
European Banking Authority's registry
BU Bulgaria

BU Bulgaria

Not applicable
CY Cyprus

CY Cyprus

Not applicable
Not applicable
DE Germany

DE Germany

Not applicable
Not applicable
ES Spain

ES Spain

Not applicable
Not applicable
FI Finland

FI Finland

Not applicable
Not applicable
FR France

FR France

Not applicable
Not applicable
GR Greece

GR Greece

Not applicable
Not applicable
HR Croatia

HR Croatia

Not applicable
Not applicable
IE Ireland

IE Ireland

Not applicable
Not applicable
IS Iceland

IS Iceland

Not applicable
Not applicable
IT Italy

IT Italy

Not applicable
Not applicable
LI Liechtenstein

LI Liechtenstein

Not applicable
Not applicable
LU Luxembourg

LU Luxembourg

Not applicable
Not applicable
LV Latvia

LV Latvia

Not applicable
Not applicable
NL The Netherlands

NL The Netherlands

RO Romania

RO Romania

Not applicable
Not applicable
SI Slovenia

SI Slovenia

Not applicable
Not applicable

Appendix A: Mazepay Cloud Service Terms

Appendix A contains the general terms and conditions for the use of the Mazepay platform where we address common legal terms including liability, confidentiality, etc.​

Download

Appendix B: Mazepay Payment Service Terms

Appendix B contains the payment service-related terms and conditions which Mazepay applies as a licensed payment institute subject to the supervision of the Danish Financial Supervisory Authority with a passported license in 30 countries.

Download

Appendix C: Mazepay Data Processing Agreement

Mazepay’s Data Processing Agreement (which complies with the GDPR requirements) with annexes describing the safeguarding measures applied to personal data and data processing.

Download

Appendix D: Mazepay Data and Outsourcing Service Providers

Appendix D is Mazepay’s list of service providers supporting our solution technically and enabling our processes. The service providers in the list are all identified potential sub-processors of personal data processed under the agreement.

Active

Download

Appendix E: Specification and documentation of standard Mazepay Services

Appendix E is a description of the work carried out by Mazepay and the responsibilities of Mazepay and you as the customer respectively. Appendix E also works as the instruction under which Mazepay operationally processes personal data exchanged under the agreement.

Download

Code of Conduct for Business Partners

Mazepay outlines the requirements and shares the endeavour to meet the high sustainability standards as well as to form fair and ethical relationships with key stakeholders (collectively known as “Business Partners”).

Download