ArcaPay UAB Privacy Policy

Effective from June 2025

INTRODUCTION

This Privacy Policy governs the manner in which ArcaPay UAB (henceforth, “ArcaPay”/ “us”) collects, uses, maintains and discloses information collected from users (each, a "User"/ “you”) of the arcapay.com website ("Website" or "Site"). This Privacy Policy applies to the Site and all products and services offered by ArcaPay UAB (“Services”).

This Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand the types of information we collect from you, how we use that information and the circumstances under which we might share it with third parties. By visiting and using our website you are accepting and consenting to the practices described in this Policy.

For the purpose of the relevant data protection legislation for the processing of personal data, the data controller is ArcaPay UAB, company number 305689591, registered office address at Konstitucijos pr. 21B, Vilnius, LT-01830 Lithuania .

ArcaPay UAB fully complies with the General Data Protection Regulation (“GDPR”). If you require further information on your rights under the GDPR, please visit the Data Protection Inspectorate’s website at www.ada.lt.

INFORMATION AND DATA WE COLLECT

We may collect and use the following data about you, depending on whether you are:

  • a visitor of our Website using any of our services;
  • a job applicant;
  • a prospective client of ArcaPay its employee, contractor, officer or other authorised representative;
  • an existing client of ArcaPay and, where applicable, its employee, contractor, officer, ultimate beneficial owners, or other authorised representative;
  • payee of our client whose payment transaction we were instructed to process;
  • our business partner or introducer and, where applicable, its employee, contractor, officer or other authorised representative;
  • our supplier and, where applicable, its employee, contractor, officer or other authorised representative.

What personal data do we collect from you?

What we may use your personal data for? Our legal basis for processing your personal data

Information you give us.
You may give us information about you by filling in forms when registering or using our Services or via correspondence, e.g. email or telephone. The information you give us may include:
  1. Identity data: first name, last name, father's name, date of birth, nationality, citizenship, tax identification number, ID/passport document number, data and place of issuance, your image in photo or video form, and facial scan data extracted from your photo or video (known as ‘biometric data’), to verify your identity during onboarding as part of our KYB checks, to authenticate you as an authorised user of our services, or to detect and prevent fraud;
  2. Contact data: home postal address and email address, phone number;
  3. Financial information: information on financial situation, financial solvency;
  4. Transaction data: payment details. We may also need additional commercial and/or identification information from you, e.g. if you send high-value transactions or as needed to comply with our anti-money laundering obligations under applicable law

Information we collect about you

This includes details of the transactions you carry out when using our Services:
  1. Technical data: geographic location from which the transaction originates and the Internet protocol (“IP”) address used to connect your computer to the Internet;
  2. Usage data: Uniform Resource Locators (“URL”) clickstream to, through and from our Website, and technical information such as your browser type and version, time zone setting, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs), browser plug-in types and versions, operating system and platform, as well as usernames and passwords;
  3. Marketing data: preferences regarding marketing communications from us or third party partners.

Information from other sources
We may also collect information about you from other sources, including but not limited to: official registers (e.g. corporate registries), social media, credit reference agencies, sanction and PEP screening and fraud prevention agencies and business directories or other publicly available sources.

How do we collect personal data from you?

As described above ArcaPay collects personal data from you in several ways:

  1. Direct interactions: this includes information you provide to us through our website by filling in forms or corresponding with us by phone, email, or otherwise. The information collected here may include information about beneficiaries, shareholders, directors, and officers to help us deliver our services. The information you provide may include their name, address, email, telephone number, nationality, citizenship, or information about their financial situation. You may provide us with information about other accounts held by other financial institutions so that we can provide our services. The information you provide may include bank code, bank country, account type, bank name, and account number. This may be done by filling out forms on our websites or by contacting us by phone, email or otherwise. You must obtain prior consent from the individuals concerned before disclosing this information.
  2. Information accessible to third parties or the public: We may also collect information about you from other sources, including but not limited to: official registers (e.g. corporate registries), social media, credit reference agencies, sanction and PEP (politically exposed person) screening and fraud prevention agencies and business directories or other publicly available sources.

LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

We must have a legal basis to process your personal data. We will only use the information you give to us when the applicable law allows and as described below:

  1. To enter into or perform a contract with you.
  2. To comply with a legal or regulatory obligation as a Data Controller and regulated business:
    1. For the detention and prevention of crime
    2. For compliance with anti-money laundering regulations and counter-terrorism financing regulations.
    3. For compliance with requests for information from law enforcement, courts or regulators
  3. When we have your consent:
    1. When you are an existing client, we will only contact you with information about services similar to those which were the subject of a previous sale or negotiations of a sale to you.
    2. When you are a new customer, we will only contact you if you have consented to such

You may withdraw this consent at any time by using the links provided at the bottom of marketing emails from us, or by contacting our DPO. This will only affect the way we use personal information when the basis for doing so is your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. If this is the case, we will notify you.

  1. To fulfil our legitimate interest or that of a third party, and any such interests are not overridden by your interests or rights in the protection of your personal data

Below summarises our legal basis for processing your personal data and the ways we may use your personal data:

What we may use your personal data for? Our legal basis for processing your personal data

1. To check your identity and business as part of our Know your Client/Know Your Business process.

This includes facial scan data extracted from any photo or video submitted (Biometric data).
- Legal obligations (article 6.1.c GDPR)
- Keeping to contracts between you and ArcaPay (article 6.1.b GDPR)
- Substantial public interest (article 9.2.g GDPR)

2. To provide our services.

In order to execute payments booked via our platform we need to collect your personal details regarding the transactions booked.
- Legal obligations (article 6.1.c GDPR)
- Keeping to contracts between you and ArcaPay (article 6.1.b GDPR)

3. Profiling.

Profiling carried out by us may involve processing of personal data by automated means for the purposes of legislation relating to risk management and continuous and periodic monitoring of transactions in order to prevent fraud.
- Legal obligations (article 6.1.c GDPR)
- Keeping to contracts between you and ArcaPay (article 6.1.b GDPR)
- Substantial public interest (article 9.2.g GDPR)

4. To notify you about changes to our Services.

As a regulated institution, we have to formally notify you in case of changes to our T&Cs, changes to your account, fraud prevention, or in case of other important information.
- Legal obligations (article 6.1.c GDPR)
- Keeping to contracts between you and ArcaPay (article 6.1.b GDPR)

5. To provide you with marketing material.

Where you give us consent and subscribe to our newsletter, ArcaPay shall send relevant marketing materials regarding our products. Where national laws allow, we’ll assume you want to be contacted by email, phone call with information about our products, services, offers and promotions. Where national laws require us to get your consent to send marketing communications, we’ll do so in advance
- Consent (article 6.1.a GDPR). This means that you have given your consent to us collecting your personal data and sending you marketing information. Consent can be changed at any time by accessing your www.arcapay.com client account.
- Legitimate interests s (article 6.1.f GDPR) to send direct marketing, ensure our direct marketing is relevant to your interests, develop our products and services, and to be efficient about how we meet our legal and contractual duties.

6. To ensure active troubleshooting, anonymous data analysis, testing, research, statistical and survey purposes.
- Legitimate interests (article 6.1.f GDPR) i.e. we need to be efficient about how we meet our obligations and we want to provide you with good products and services;
- Legal obligations (article 6.1.c GDPR)

7. To improve our Services.
- Legitimate Interest (article 6.1.f GDPR) i.e. we need to be efficient about how we meet our obligations and we want to provide you with good products and services

8. To measure or understand the effectiveness of advertising we serve and to deliver relevant advertising to you.
- Legitimate Interest (article 6.1.f GDPR) To understand how customers use our products so we can develop new products and improve the products we currently provide

9. To keep our Website safe and secure.
- Legal obligations (article 6.1.c GDPR)
- Legitimate Interest (article 6.1.f GDPR) To continually improve ArcaPay platform and website security in order to protect them from cyberattacks;
- Keeping to contracts between you and us (article 6.1.b GDPR)

10. To establish, exercise or defend our legal rights, including where we reasonably consider it is in our legitimate interests.
- Legitimate interests (article 6.1.f GDPR) For example, to protect ArcaPay during a legal dispute or send you anti-fraud communications
- Legal obligations (article 6.1.c GDPR)

DATA PROCESSING

Personal data is processed both manually and electronically in accordance with the above-mentioned purposes and in compliance with current regulations. We only permit authorised ArcaPay employees and third-party processors to have access to your information. Such employees and third-party processors are appropriately designated and trained to process data in line with our policies and procedures.

SHARING YOUR INFORMATION WITH OTHERS

We may share your personal information with our ArcaPay group companies where it is in our legitimate interests to do so, to abide by legal obligations, or for internal administrative purposes (for example, ensuring consistent and coherent delivery of our services to our customers, corporate strategy, compliance, auditing, monitoring, quality assurance, improvement of our services, statistical purposes etc).

We may also share your personal information with our service providers and subcontractors, including but not limited to payment processors, banking and financial institutions for the fulfilment of financial transactions, as well as the Central Bank of Lithuania and any other legal, regulatory or governmental institution that we are required to disclose information to.

CROSS-BORDER TRANSFERS OR PERSONAL DATA

ArcaPay group of companies operate in multiple jurisdictions. Personal information may be transferred, accessed, and stored globally as necessary for the uses stated above and in compliance with local regulations.

Where we use suppliers or partners, the below table explains with which supplies normally share your personal data and why:

Type of data Why we share it
Identity verification, PEP and sanctions screening service providers To help us verify you to provide services to you and to abide by our legal obligations.
Our banking and financial service partners To help us provide services to you. The services might be offered alongside or facilitated by other financial institutions, payment providers, or partners like accounting services or other banks/payment service providers. Transfers and disclosures to financial or payment institutions are necessary to provide arcaPay services. Disclosures to ecosystem partners are made as authorized or requested, enabling use of their products and services.
Suppliers which provide IT services To help us provide services to you. ArcaPay utilizes service providers for functions such as payment processing, technology support, cloud storage, market research, marketing analytics, and audits. Personal information is shared with these providers only to the extent necessary for their tasks. All service providers and partners receiving personal information are contractually obligated to protect and use it according to the Privacy Policy.
Communications services providers To help us send emails, manage client relationships, and notify you of important changes to our Services.
Regulatory authorities (e.g. Bank of Lithuania, FNTT, court etc) ArcaPay may be legally required to disclose user information to authorities, including regulators, courts, law enforcement, and tax agencies, both domestic and international. This may occur to comply with legal obligations, enforce terms, address security or fraud issues, or protect users. Such disclosures may happen with or without consent or notice, and will comply with legal processes like regulatory requests, subpoenas, court orders, or search warrants. ArcaPay is often prohibited from notifying users about these disclosures due to the legal process involved.
Potential Acquirers of our Business If we are the subject of or are involved in any corporate merger, acquisition, consolidation, reorganization, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with bankruptcy or similar proceedings), we may share data with third parties during negotiations.

Occasionally, personal data may be transferred to or processed in locations outside of the European Union (“EU”), some of which may have not been determined by the European Commission to have adequate level of data protection. In such cases, we take measures designed to provide the level of data protection required in the EU, including ensuring that data transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission, or another adequate transfer mechanism.

If we receive a request to disclose personal data from a law enforcement agency or regulatory body, we carefully validate such requests, including reviewing the legality of any order and challenging the order if there are grounds under the law to do so, before any personal data is disclosed.

PROTECTING YOUR INFORMATION

We adopt appropriate data collection, processing, storage, and data security measures to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site. Our data processing technologies are professionally hosted by a company that specialises in hosting solutions. When you provide sensitive information to us, we encrypt the transmission of that information using secure socket layer technology (SSL). We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk. Once we have received your information, we use strict procedures and security features to prevent unauthorised access. If you suspect any unauthorized use or access to your account or information, please contact us immediately.

All data is stored encrypted in the database format and the minimum is kept as required by applicable laws and regulations, as well being securely destroyed when data is no longer necessary for the purposes of the data processing.

EXECUTING YOUR RIGHTS TO DATA

Your rights in relation to your personal information processing are as follows:

  1. Right of access. You have a right of access to any personal information we hold about you. You can ask us for a copy of your personal information; confirmation if your personal information is being processed by ArcaPay; details about how and why we process your personal information; details of measures we implement if we transfer your information outside of the European Economic Area (EEA).
  2. Right to update your information. You have a right to request an update to any of your personal information which is out of date or incorrect.
  3. Right to delete your information. You have a right to ask us to delete any of your personal information which we are processing, where we are not required by law to retain it.
  4. Right to restrict use of your information. You have a right to ask us to restrict the way we use your personal information, e.g. for marketing and advertising.
  5. Right to data portability. You have a right to request us to provide your personal information to a third party provider of service.
  6. Right to object. You have a right to object to data processing where we process your personal information on the basis of your consent or our legitimate interest.
  7. Right to withdraw consent. For the processing activities where we have asked you for consent, you have the right to withdraw your consent at any time
  8. Right to be informed. You have the right to be informed why and how we collect your personal data, how we will use this information, who we share it with, what are the security measures we take to protect this information and what your individual rights are.
  9. Right to not be subject to automated decision making, including profiling. Subject to exceptions, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not envisage (i) that any decisions will be taken about you using solely automated means, and/or (ii) that we will undertake any profiling of your personal data. However, we will notify you in writing if this position changes and will inform you of your rights as required by the applicable law.

To execute your GDPR rights please contact us via email [email protected] from the email address you are registered with on arcapay.com. We'll acknowledge the receipt of your request shortly and respond to your request within 30 calendar days, unless we tell you we are entitled to a longer period allowed by applicable law.

However, please note that certain personal information may be exempt from such requests in certain circumstances, for example if we need to keep using the information to comply with legal requirements and our own legal obligations or to establish, exercise or defend legal claims.

As a regulated business ArcaPay has an obligation to retain customers’ personal data as well as additional documents for preventing, detecting and investigating possible cases of money laundering and terrorist financing. To comply with regulatory requirements, a copy of the documents and customer’s personal information will be stored in our system for a period of eight years after the end of the business relationship with the customer or after the date of an occasional transaction. Please be aware that anti-money laundering and counter-terrorism financing regulatory requirements overrule the GDPR requirements.

If a customer’s request is manifestly unfounded or excessive, we reserve the right to refuse to act on the request or impose an administrative fee. If you think your rights are not fulfilled properly, you can always contact us at: [email protected].

COOKIE POLICY

Cookies are a small piece of information saved in your browser storage. They are used to improve the user experience in pages and help third party services to work properly. ArcaPay uses cookies on its website. Private data is never stored in cookies, only anonymous identifiers or other preferences. Data retention depends on the cookie policy but not will not be more than 24 months. Please refer to our Cookie Policy for further information.

MARKETING COMMUNICATION PREFERENCES

We may communicate with our clients about new products or services, special offers, newsletters, and other marketing announcements if you have given your consent to provide your with direct marketing materials.

You can always change your preference in your profile settings and configure specific channels you wish to receive marketing communication through.

You may also opt-out and withdraw your consent at any time by using the links provided at the bottom of marketing emails from us.

Transactional information, e.g. information about received money, document requests and/or other information related to our core services, and updates to our policies or T&Cs applicable to you is not considered part of marketing communication and thus cannot be disabled.

DATA RETENTION

To abide by regulations applicable to regulated payment institutions regarding prevention of money laundering and terrorist financing, the GDPR, and the Law on Electronic Money and Electronic Money Institutions of the Republic of Lithuania, ArcaPay shall retain personal data for as long as necessary to achieve the original purpose we collected it for and in line with relevant laws.

Please see below personal data protection retention periods:

  • Client identification data and verification data - 8 years after termination of the contract relations;
  • Business correspondence with clients - 5 years after termination of the business relations;
  • Client complaints & related complaint data - 3 years from the date of the final response to the complainant.
  • Transaction history and related documents - 8 years after the execution or completion of the transaction;

Competent authorities may require us to keep the data for longer, thus the above data retention periods serve as a benchmark for data retention storage by ArcaPay

CHANGES TO OUR PRIVACY POLICY

Any changes we may make to our Privacy Policy in the future will be posted on the Website and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our Privacy Policy.

FURTHER QUESTIONS AND HOW TO FILE A COMPLAINT

If you have any queries or complaints about our collection, use or storage of your personal information, or if you wish to exercise any of your rights in relation to your personal information, please contact us by email [email protected]. We will investigate and attempt to resolve your complaint regarding your data processing.

You may also make a complaint to the Lithuanian State Data Protection Inspectorate, L.Sapiegos g. 17, Vilnius, email [email protected].

To enable chatting functionality please enable the functional cookies