Privacy Policy
Last updated: 2025-01-05
Version: 3.0 (Non-Custodial Remittance Orchestration Platform)
Privacy Policy
Last Updated: 2025-01-05 Effective Date: 2025-01-05 Version: 3.0 (Non-Custodial Remittance Orchestration Platform)
1. Introduction
1.1 Overview
DONATION POS L.P. (trading as "PayWolt") operates a cross-border remittance orchestration platform that enables you to send international money transfers via licensed payment service providers. This Privacy Policy explains how we collect, use, disclose, and protect your personal data.
Critical Principle: PayWolt does not hold, custody, or transmit your funds. All regulated payment activities are performed by licensed payment service providers (Wise, Flutterwave, Stripe). This affects how we process your data.
1.2 Scope
This Privacy Policy applies to:
- The PayWolt mobile application ("App")
- The PayWolt website (www.paywolt.com)
- All cross-border remittance services offered through the Platform
This Privacy Policy does NOT apply to:
- Data processing by payment service providers (covered by their own privacy policies)
- Third-party websites or services linked from our Platform
1.3 Regulatory Compliance
This Privacy Policy complies with:
| Regulation | Full Title | Scope |
|---|---|---|
| GDPR | Regulation (EU) 2016/679 (General Data Protection Regulation) | All EU/EEA residents |
| Greek Law 4624/2019 | GDPR implementation in Greece | Greek residents |
| ePrivacy Directive | Directive 2002/58/EC | Electronic communications, cookies |
| PSD2 | Directive (EU) 2015/2366 (Payment Services Directive) | Payment data processing |
2. Data Controller
2.1 PayWolt as Data Controller
Data Controller:
DONATION POS L.P. (trading as PayWolt)
El. Venizelou 218
Kallithea, 17675
Athens, Greece
GEMI: 178825503000
Tax ID (AFM): 802572430
Privacy Contact:
- Email: privacy@paywolt.com
- Data Protection Officer (DPO): dpo@paywolt.com
2.2 Joint and Independent Data Controllers
PayWolt's Role: We are the data controller for:
- Account registration data
- Platform usage data
- Transfer orchestration metadata (status, timing, corridor selection)
- Customer support communications
Payment Service Providers' Role: Our licensed payment service providers (Wise, Flutterwave, Stripe) are independent data controllers for:
- Identity verification (KYC) data and documents
- Payment collection data (card details, bank account information)
- Payout execution data
- Transaction settlement records
- Compliance screening (AML/CTF)
Important: When you submit identity documents via the PayWolt Platform, we forward them directly to the relevant provider's API. The provider stores and processes these documents under their own privacy policy. PayWolt does not retain identity document images.
3. Personal Data We Collect
3.1 Data You Provide Directly
3.1.1 Account Registration Data
| Data Type | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Name | First name, last name | Account identification | Contract performance (GDPR Art. 6(1)(b)) |
| Email Address | username@example.com | Account authentication, communications | Contract performance |
| Phone Number | +XX XXX XXX XXXX | Two-factor authentication, notifications | Contract performance |
| Password | (hashed, not stored in plaintext) | Account security | Contract performance |
| Date of Birth | DD/MM/YYYY | Age verification, KYC forwarding to provider | Legal obligation (GDPR Art. 6(1)(c)) |
| Nationality | Country of citizenship | KYC forwarding to provider, sanctions screening | Legal obligation |
3.1.2 KYC Data (Forwarded to Provider)
Important: The following data is collected by PayWolt and immediately forwarded to the payment service provider performing your identity verification. PayWolt does NOT store identity documents.
| Data Type | Examples | Stored by PayWolt? | Stored by Provider? |
|---|---|---|---|
| Identity Document Images | Passport, national ID, driver's license | ❌ No (transient only) | ✅ Yes |
| Selfie Photo | Liveness verification photo | ❌ No (transient only) | ✅ Yes |
| Proof of Address | Utility bill, bank statement | ❌ No (transient only) | ✅ Yes |
| Source of Funds Documentation | Payslips, tax returns | ❌ No (transient only) | ✅ Yes |
What PayWolt Does Store:
- Verification status (e.g., "APPROVED", "PENDING", "REJECTED")
- Verification level (e.g., "BASIC", "STANDARD", "ENHANCED")
- Provider reference ID (e.g., "WISE-USER-123456")
- Verification timestamp
3.1.3 Transfer Data
| Data Type | Examples | Purpose |
|---|---|---|
| Recipient Name | Full name of beneficiary | Payout execution |
| Recipient Bank Details | IBAN, account number, SWIFT/BIC | Payout execution |
| Recipient Contact Information | Email, phone number | Transfer notifications |
| Transfer Amount | Source amount, target amount | Quote calculation, orchestration |
| Transfer Currency | NGN, EUR, GBP, etc. | Corridor determination, FX quote |
| Transfer Purpose | Personal support, gift, education, etc. | Regulatory compliance, statistics |
3.2 Data We Collect Automatically
3.2.1 Device and Technical Data
| Data Type | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Device Identifier | Unique device ID, advertising ID (if permitted) | Fraud prevention, security | Legitimate interest (GDPR Art. 6(1)(f)) |
| Device Information | Device model, operating system version, app version | Compatibility, debugging | Legitimate interest |
| IP Address | 192.0.2.1 (anonymized after 90 days) | Geolocation (country-level), fraud prevention | Legitimate interest |
| Browser Information | User agent, browser type, language preference | Technical support | Legitimate interest |
| Session Data | Login timestamp, session duration, logout timestamp | Security monitoring | Legitimate interest |
3.2.2 Usage Data
| Data Type | Examples | Purpose |
|---|---|---|
| Platform Interactions | Pages viewed, features used, buttons clicked | Service improvement, UX optimization |
| Transfer History | Transfer count, average amount, preferred corridors | Product analytics, corridor optimization |
| Error Logs | App crashes, API errors (anonymized) | Debugging, performance monitoring |
3.3 Data We Receive from Third Parties
3.3.1 Payment Service Providers
| Provider | Data Received | Purpose |
|---|---|---|
| Wise (Belgium EMI) | KYC verification status, transaction confirmation, payout status | Transfer orchestration, compliance monitoring |
| Flutterwave (African PI) | Payment collection confirmation, KYC verification status, payout delivery confirmation | Transfer orchestration, compliance monitoring |
| Stripe (US/EU PI) | Card payment authorization, collection status | Payment processing |
Note: Providers process your data as independent data controllers under their own privacy policies:
- Wise Privacy Policy: wise.com/privacy-policy
- Flutterwave Privacy Policy: flutterwave.com/privacy-policy
- Stripe Privacy Policy: stripe.com/privacy
3.3.2 Public Databases and Compliance Services
| Source | Data Type | Purpose |
|---|---|---|
| Sanctions Lists | EU Consolidated List, OFAC SDN List, UN Sanctions List | Sanctions screening (AML/CTF compliance) |
| PEP Databases | Politically Exposed Persons lists | Enhanced due diligence (AML/CTF compliance) |
| Fraud Prevention Services | Risk scores, device fingerprints | Fraud detection |
4. How We Use Your Personal Data
4.1 Service Delivery and Transfer Orchestration
Purpose: To provide cross-border remittance orchestration services.
Processing Activities:
-
Account Management:
- Create and manage your Account
- Authenticate your identity during login
- Maintain Account security
-
Transfer Orchestration:
- Generate foreign exchange quotes from Providers
- Validate transfer details and compliance checks
- Route payment collection instructions to Collection Provider
- Monitor payment collection status
- Initiate payout instructions to Payout Provider
- Track payout delivery status
- Update transfer status in real-time
-
Customer Support:
- Respond to inquiries and complaints
- Investigate transfer issues
- Provide transaction documentation
Legal Basis: Contract performance (GDPR Art. 6(1)(b)) - necessary to fulfill our Terms of Service.
4.2 Legal and Regulatory Compliance
Purpose: To comply with Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), and other legal obligations.
Processing Activities:
-
KYC Verification (via Providers):
- Forward identity documents to licensed payment service providers
- Receive verification status from providers
- Enforce transfer limits based on verification level
-
Sanctions and PEP Screening:
- Check your name against EU, UN, and OFAC sanctions lists
- Screen for Politically Exposed Person (PEP) status
- Block transfers to/from sanctioned jurisdictions
-
Regulatory Reporting:
- Report suspicious activity to financial intelligence units (if legally required)
- Respond to lawful requests from regulators and law enforcement
- Maintain transaction records for regulatory inspection
-
Tax Compliance:
- Report cross-border transfers as required by tax authorities
- Issue tax documentation (where applicable)
Legal Basis: Legal obligation (GDPR Art. 6(1)(c)) - compliance with:
- Directive (EU) 2018/843 (5th Anti-Money Laundering Directive)
- Hellenic Law 4557/2018 (AML/CTF implementation in Greece)
- Payment Services Directive 2 (PSD2)
4.3 Security and Fraud Prevention
Purpose: To protect you, PayWolt, and our providers from fraud, unauthorized access, and financial crime.
Processing Activities:
-
Fraud Detection:
- Analyze transaction patterns for anomalies
- Monitor for velocity abuse (multiple rapid transfers)
- Detect suspicious behavior (e.g., Account takeover attempts)
-
Device Security:
- Fingerprint devices to detect unauthorized access
- Monitor login locations for unusual patterns
- Block access from known malicious IP addresses
-
Transaction Monitoring:
- Review high-risk transfers for manual approval
- Detect structured transactions (smurfing)
- Flag transfers inconsistent with user profile
Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)) - protecting against fraud and financial crime. Our legitimate interest: preventing loss, complying with provider requirements, maintaining platform security.
4.4 Service Improvement and Analytics
Purpose: To improve the Platform, optimize corridors, and develop new features.
Processing Activities:
-
Product Analytics:
- Analyze which corridors are most popular
- Identify user experience friction points
- Measure quote abandonment rates
- Track feature usage statistics
-
Performance Monitoring:
- Measure API response times
- Track transfer completion rates
- Identify provider performance issues
-
Research and Development:
- Develop new corridor coverage
- Optimize FX pricing
- Improve transfer speed
Legal Basis: Legitimate interest (GDPR Art. 6(1)(f)) - improving service quality for all users.
Data Minimization: Analytics are performed on aggregated, pseudonymized data where possible.
4.5 Communications
Purpose: To send you important service updates, transaction notifications, and (with consent) marketing.
Processing Activities:
| Communication Type | Example | Legal Basis | Opt-Out |
|---|---|---|---|
| Transactional Notifications | "Your transfer is complete" | Contract performance (Art. 6(1)(b)) | ❌ Cannot opt out (required for service) |
| Security Alerts | "Login from new device" | Legitimate interest (Art. 6(1)(f)) | ❌ Cannot opt out (security) |
| Service Updates | "New corridor available: Ghana → UK" | Contract performance | ✅ Can opt out |
| Marketing Communications | "Refer a friend and earn €10" | Consent (Art. 6(1)(a)) | ✅ Can opt out anytime |
5. Data Sharing and Disclosure
5.1 Sharing with Payment Service Providers
Purpose: To execute your cross-border transfers.
Providers We Share With:
5.1.1 Wise (Belgium)
Provider Details:
- Legal Name: Wise Payments Limited (Belgium branch)
- License: Electronic Money Institution (EMI) authorized by National Bank of Belgium
- Privacy Policy: wise.com/privacy-policy
Data Shared:
- Identity data (name, date of birth, nationality) for KYC verification
- Identity documents (forwarded directly via API, not stored by PayWolt)
- Recipient bank details (for SEPA/SWIFT payouts)
- Transfer amount and currency (for FX quotes and payouts)
Provider's Role: Wise performs KYC verification, provides FX quotes, and executes payouts to European and global bank accounts.
5.1.2 Flutterwave (Nigeria, Ghana, Kenya, South Africa)
Provider Details:
- Legal Name: Flutterwave Technology Solutions Limited (and local entities)
- License: Licensed Payment Institution in Nigeria (CBN), Kenya (CBK), Ghana, South Africa
- Privacy Policy: flutterwave.com/privacy-policy
Data Shared:
- Identity data for KYC verification
- Identity documents (forwarded directly via API)
- Payment collection details (card, bank account, mobile money)
- Recipient bank details (for African payouts)
- Transfer amount and currency
Provider's Role: Flutterwave performs KYC verification, collects payments via cards/bank/mobile money, provides African FX quotes, and executes payouts to African bank accounts.
5.1.3 Stripe (United States/Europe)
Provider Details:
- Legal Name: Stripe, Inc. (US) / Stripe Payments Europe, Ltd. (Ireland)
- License: Authorized Payment Institution in EU and US states
- Privacy Policy: stripe.com/privacy
Data Shared:
- Payment card details (entered directly on Stripe-hosted page, not stored by PayWolt)
- Card payment authorization data
- Transaction amount and currency
Provider's Role: Stripe processes card payments for collection (where applicable).
Data Controller Relationship: Each Provider is an independent data controller for the data they process. PayWolt does not control how Providers use your data beyond the purposes specified in these integrations.
5.2 Sharing with Technical Service Providers
We share data with the following technical vendors:
| Service Provider | Service Type | Data Shared | Safeguards |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Encrypted database backups, application logs | Data Processing Agreement (DPA), ISO 27001 certified |
| Sentry | Error monitoring | Crash logs, stack traces (anonymized) | DPA, data anonymization |
| Twilio | SMS delivery | Phone numbers, SMS content (2FA codes) | DPA, PCI-DSS Level 1 certified |
Data Processing Agreements: All technical vendors are bound by GDPR-compliant Data Processing Agreements (DPAs) pursuant to Article 28 GDPR.
5.3 Legal and Regulatory Disclosures
We may disclose your personal data to:
Regulatory Authorities:
- Hellenic Authority for Combating Money Laundering (Greece)
- European Banking Authority (EBA)
- National competent authorities in Provider jurisdictions
Law Enforcement:
- Pursuant to lawful requests (court orders, subpoenas)
- To prevent or investigate suspected criminal activity
- To comply with legal obligations
Legal Basis: Legal obligation (GDPR Art. 6(1)(c)) and vital interests (GDPR Art. 6(1)(d)).
Notice: Where legally permitted, we will notify you of legal disclosures. In some cases (e.g., ongoing investigations), we may be prohibited from providing notice.
5.4 No Sale of Personal Data
PayWolt does NOT sell your personal data to third parties for monetary or other consideration.
6. International Data Transfers
6.1 Transfers Outside the EEA
Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including:
| Country | Provider/Service | Adequacy Status | Safeguards |
|---|---|---|---|
| United Kingdom | Wise | ✅ Adequacy Decision (EU-UK Trade and Cooperation Agreement) | N/A (adequate protection) |
| United States | Stripe, AWS | ❌ No adequacy decision | Standard Contractual Clauses (SCCs) approved by European Commission |
| Nigeria | Flutterwave | ❌ No adequacy decision | Standard Contractual Clauses (SCCs) |
| Kenya | Flutterwave | ❌ No adequacy decision | Standard Contractual Clauses (SCCs) |
6.2 Safeguards for International Transfers
For countries without an adequacy decision, we implement appropriate safeguards pursuant to GDPR Chapter V:
-
Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses (Decision 2021/914) for all data transfers to third countries.
-
Supplementary Measures: Where required by the Schrems II judgment (CJEU C-311/18), we implement supplementary technical and organizational measures:
- End-to-end encryption of sensitive data
- Data minimization (only necessary data transferred)
- Regular audits of third-country processors
-
Provider Certifications: Some providers participate in recognized certification mechanisms (e.g., ISO 27001, SOC 2 Type II).
6.3 Your Rights Regarding International Transfers
You have the right to:
- Request information about safeguards in place for international transfers
- Object to transfers to specific third countries (where technically feasible)
- Obtain copies of Standard Contractual Clauses
Contact privacy@paywolt.com for more information.
7. Data Retention
7.1 Retention Periods
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Account Registration Data | Duration of Account + 5 years after closure | AML Directive (5AMLD) - Article 40 |
| Transfer Records | 10 years from transaction date | Hellenic Law 4557/2018 (AML implementation) |
| KYC Verification Status (metadata only) | 5 years after Account closure | AML Directive - Article 40 |
| Customer Support Communications | 3 years from last contact | Legitimate interest (dispute resolution) |
| Technical Logs (IP addresses, session data) | 12 months (anonymized thereafter) | Legitimate interest (security) |
| Marketing Consent Records | Until consent withdrawn + 3 years | Legitimate interest (consent management) |
| Fraud Investigation Records | 7 years from incident resolution | Legitimate interest (legal defense) |
7.2 Deletion After Retention Period
After retention periods expire:
- Secure Deletion: Data is securely deleted using industry-standard methods (e.g., cryptographic erasure, overwriting).
- Anonymization: Where deletion is not possible (e.g., for statistical purposes), data is irreversibly anonymized.
7.3 Legal Hold Exceptions
Retention periods may be extended if:
- Data is subject to a legal hold (e.g., litigation, regulatory investigation)
- You have an unresolved dispute with PayWolt
- Retention is required by a court order
8. Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights:
8.1 Right of Access (Article 15)
What: Obtain confirmation of whether we process your data and receive a copy.
How to Exercise: Email privacy@paywolt.com with subject line: "GDPR Access Request"
Response Time: Within 1 month (extendable by 2 months for complex requests).
What You'll Receive:
- Categories of data processed
- Purposes of processing
- Recipients of data
- Retention periods
- Copy of data in machine-readable format (CSV, JSON)
8.2 Right to Rectification (Article 16)
What: Correct inaccurate or incomplete personal data.
How to Exercise:
- Update directly in App Settings, OR
- Email privacy@paywolt.com with corrected information
Response Time: Within 1 month.
8.3 Right to Erasure / "Right to be Forgotten" (Article 17)
What: Request deletion of your personal data.
How to Exercise: Email privacy@paywolt.com with subject line: "GDPR Erasure Request"
Limitations: We may refuse erasure if:
- Retention is required by legal obligation (e.g., 10-year AML retention for transaction records)
- Data is necessary for legal defense
- Data is necessary for regulatory compliance
Response Time: Within 1 month.
8.4 Right to Restriction of Processing (Article 18)
What: Request that we limit how we use your data.
When Available:
- You contest the accuracy of data (during verification period)
- Processing is unlawful, but you prefer restriction over deletion
- We no longer need the data, but you need it for legal claims
How to Exercise: Email privacy@paywolt.com with subject line: "GDPR Restriction Request"
Effect: We will store the data but not process it further (except with your consent or for legal claims).
8.5 Right to Data Portability (Article 20)
What: Receive your data in a structured, machine-readable format (CSV, JSON) and transmit it to another service.
Scope: Applies only to data:
- You provided to us, AND
- Processing is based on consent or contract performance, AND
- Processing is carried out by automated means
How to Exercise: Email privacy@paywolt.com with subject line: "GDPR Portability Request"
Response Time: Within 1 month.
8.6 Right to Object (Article 21)
What: Object to processing based on legitimate interests or for direct marketing.
8.6.1 Objection to Direct Marketing
Absolute Right: You have an absolute right to object to marketing at any time.
How to Exercise:
- Click "Unsubscribe" in marketing emails, OR
- Update preferences in App Settings > Notifications, OR
- Email privacy@paywolt.com
Effect: We will stop sending marketing communications immediately.
8.6.2 Objection to Processing Based on Legitimate Interests
What: Object to processing activities based on our legitimate interests (e.g., fraud prevention, analytics).
How to Exercise: Email privacy@paywolt.com with subject line: "GDPR Objection Request" and specify the processing activity.
Our Response: We will cease processing unless we demonstrate compelling legitimate grounds that override your interests (Art. 21(1)).
8.7 Right to Withdraw Consent (Article 7(3))
What: Withdraw consent for processing activities based on consent (e.g., marketing, optional features).
How to Exercise:
- Update in App Settings, OR
- Email privacy@paywolt.com
Effect: Withdrawal does not affect the lawfulness of processing before withdrawal.
8.8 Right to Lodge a Complaint with Supervisory Authority
What: File a complaint with your local data protection authority.
Greek Supervisory Authority:
Hellenic Data Protection Authority (HDPA)
Kifissias Ave. 1-3, 115 23 Athens, Greece
Email: contact@dpa.gr
Website: www.dpa.gr
EU-Wide: You may also complain to the supervisory authority in your country of residence or where the alleged infringement occurred.
9. Data Security
9.1 Technical Security Measures
We implement state-of-the-art technical safeguards:
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.3 with Perfect Forward Secrecy for all data transmissions |
| Encryption at Rest | AES-256 encryption for all database storage |
| Access Controls | Role-Based Access Control (RBAC), principle of least privilege |
| Multi-Factor Authentication | Required for all staff accessing production systems |
| Secrets Management | Vault-based secrets storage with automatic rotation |
| Network Security | Firewalls, intrusion detection/prevention systems (IDS/IPS) |
| Security Monitoring | 24/7 automated monitoring with alerting (Sentry, CloudWatch) |
| Penetration Testing | Annual third-party security audits |
| Secure Development | OWASP Top 10 compliance, secure code reviews |
9.2 Organizational Security Measures
| Measure | Implementation |
|---|---|
| Staff Training | Annual data protection and security awareness training for all employees |
| Background Checks | Pre-employment screening for all staff with data access |
| Data Processing Agreements | GDPR-compliant DPAs with all vendors (Article 28) |
| Incident Response Plan | Documented procedures for data breach response |
| Business Continuity | Disaster recovery and backup procedures tested quarterly |
| Privacy by Design | Data protection integrated into all new features and systems |
| Data Minimization | Regular audits to ensure only necessary data is collected |
9.3 Data Breach Notification
In the event of a personal data breach:
Our Obligations:
-
Notification to Supervisory Authority: Within 72 hours of becoming aware of the breach (GDPR Art. 33)
-
Notification to You: Without undue delay if the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34)
What We'll Communicate:
- Nature of the breach
- Categories and approximate number of affected individuals
- Likely consequences
- Measures taken or proposed to address the breach
- Contact point for further information
How We'll Notify You:
- Email to your registered email address
- In-app notification
- Website notice (if email is not feasible)
10. Cookies and Tracking Technologies
10.1 What Are Cookies?
Cookies are small text files placed on your device when you visit our website or use our App. They enable us to recognize your device and provide functionality, security, and analytics.
10.2 Types of Cookies We Use
| Cookie Type | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly Necessary | Authentication, security, fraud prevention | Session (deleted on logout) | Legitimate interest (Art. 6(1)(f)) |
| Functional | Remember language preferences, settings | 1 year | Legitimate interest |
| Analytics | Measure app performance, user behavior | 2 years | Consent (Art. 6(1)(a)) |
| Marketing | (Currently not used) | N/A | Consent |
10.3 Third-Party Cookies
We do NOT use third-party advertising or tracking cookies (e.g., Google Analytics, Facebook Pixel). All analytics are performed using our own internal infrastructure.
10.4 Managing Cookies
Browser Settings: You can control cookies through your browser settings:
- Google Chrome: Settings > Privacy and Security > Cookies
- Safari: Preferences > Privacy > Cookies
- Firefox: Options > Privacy & Security > Cookies
App Settings: In the PayWolt App: Settings > Privacy > Cookie Preferences
Effect of Disabling Cookies: Disabling strictly necessary cookies may prevent you from using certain features (e.g., staying logged in).
10.5 Do Not Track (DNT)
We honor "Do Not Track" browser signals. If DNT is enabled, we will not set analytics cookies.
11. Special Categories of Personal Data
11.1 Biometric Data (Mobile App Authentication)
If you enable biometric authentication (fingerprint, Face ID):
What We Process:
- Biometric authentication result (success/failure) - stored locally on your device
- We do NOT process or store biometric templates on our servers
How It Works:
- Your device captures biometric data (e.g., fingerprint)
- Your device compares it to stored template (locally)
- Your device sends authentication result to PayWolt (not the biometric data itself)
Legal Basis: Consent (GDPR Art. 6(1)(a) and Art. 9(2)(a) for special category data).
Your Rights: You can disable biometric authentication at any time in App Settings > Security.
11.2 Other Special Categories
We do NOT knowingly process other special categories of personal data (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health data, sex life/orientation) as defined in GDPR Article 9.
12. Children's Privacy
12.1 Age Restriction
Our Services are NOT directed to individuals under 18 years of age. We do not knowingly collect personal data from children.
Verification: During account registration, you must confirm that you are at least 18 years old.
12.2 Parental Notice
If you are a parent or guardian and believe your child has provided us with personal data:
- Contact us immediately at privacy@paywolt.com
- We will investigate and delete the data within 30 days
13. Automated Decision-Making and Profiling
13.1 Automated Decisions
We use automated processing (without human intervention) for:
| Decision | Method | Legal Basis | Your Rights |
|---|---|---|---|
| Fraud Detection | Machine learning model analyzing transaction patterns | Legitimate interest (Art. 6(1)(f)) | Right to object (Art. 21) |
| Sanctions Screening | Automated name matching against sanctions lists | Legal obligation (Art. 6(1)(c)) | Right to rectification if data is inaccurate |
13.2 Profiling
What: We analyze your transfer history to optimize service (e.g., suggest frequently used corridors).
Extent: Profiling is limited to service optimization and does NOT involve:
- Credit scoring
- Employment decisions
- Discriminatory profiling based on protected characteristics
Legal Basis: Legitimate interest (Art. 6(1)(f)).
13.3 Your Rights (Article 22)
You have the right to:
- Request human intervention: If an automated decision significantly affects you, request manual review
- Express your point of view: Provide context for a decision
- Contest the decision: Challenge the outcome
How to Exercise: Email privacy@paywolt.com with subject line: "GDPR Automated Decision Review"
14. Changes to This Privacy Policy
14.1 Notification of Changes
We may update this Privacy Policy to:
- Reflect changes in applicable law
- Incorporate new features or services
- Improve clarity or transparency
How We'll Notify You:
| Change Type | Notification Method | Advance Notice |
|---|---|---|
| Material Changes (e.g., new data sharing, changed purposes) | Email + in-app notice + website banner | 30 days |
| Non-Material Changes (e.g., clarifications, formatting) | Website posting | Effective immediately |
14.2 Acceptance
Explicit Consent: For material changes requiring consent (e.g., new marketing purposes), we will request your explicit opt-in.
Implied Acceptance: Continued use of the Service after 30-day notice period constitutes acceptance of non-material changes.
Your Rights: If you disagree with changes:
- You may stop using the Service
- You may close your Account (see Terms of Service Section 8.2)
- Pending transfers will be processed under the previous Privacy Policy (if closure requested before effective date)
15. Contact and Complaints
15.1 Privacy Inquiries
For questions about this Privacy Policy or your personal data:
| Contact Type | Address |
|---|---|
| General Privacy Questions | privacy@paywolt.com |
| Data Protection Officer | dpo@paywolt.com |
| Postal Address | DONATION POS L.P., El. Venizelou 218, Kallithea 17675, Athens, Greece |
| Phone | (Not provided - email preferred for data subject requests) |
Response Time: We respond to inquiries within 5 business days (acknowledgment) and 30 days (substantive response).
15.2 Complaints to Supervisory Authority
If you believe we have violated your data protection rights, you have the right to lodge a complaint with:
Hellenic Data Protection Authority (HDPA):
Address: Kifissias Ave. 1-3, 115 23 Athens, Greece
Email: contact@dpa.gr
Website: www.dpa.gr
Phone: +30 210 6475 600
EU-Wide Authorities: You may also complain to the data protection authority in:
- Your country of residence
- Your country of work
- The country where the alleged infringement occurred
Alternative Dispute Resolution: Before filing a formal complaint, you may use the EU Online Dispute Resolution Platform: ec.europa.eu/odr
16. Additional Provisions
16.1 Language
This Privacy Policy is provided in English. Translations may be provided for convenience, but the English version prevails in case of discrepancies or disputes.
16.2 Severability
If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect.
16.3 Relationship to Terms of Service
This Privacy Policy supplements our Terms of Service. In the event of conflict between the two documents, the Terms of Service shall prevail to the extent necessary to resolve the conflict.
Document Control
| Field | Value |
|---|---|
| Version | 3.0 |
| Document Type | Privacy Policy |
| Effective Date | 2025-01-05 |
| Last Revised | 2025-01-05 |
| Next Review | 2026-01-05 |
| Owner | Legal & Compliance Department |
| Classification | Public |
| Revision Notes | Complete rewrite for non-custodial remittance orchestration model. Reflects provider-performed KYC, no document storage by PayWolt, and 3 payment service providers (Wise, Flutterwave, Stripe). Investor-grade legal language. |
| Related Documents | TERMS_OF_SERVICE.md, COOKIE_POLICY.md, REGULATORY_CLASSIFICATION.md |
BY USING PAYWOLT, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO THIS PRIVACY POLICY.
This Privacy Policy has been drafted to comply with EU General Data Protection Regulation (GDPR) and reflect PayWolt's non-custodial, orchestration-only business model for cross-border remittances. For legal advice regarding your specific data protection obligations, please consult qualified legal counsel.