Privacy Policy

GURU PAY PRIVACY POLICY

Effective from August 28, 2024

This Privacy Policy (the “Policy”) describes what personal data UAB Guru Pay (the “Company”, “Guru Pay”, “we”,) collects and how we process them, with whom we share our clients, potential clients and visitors (You“) personal data, which we collect when you browse our https://gurupay.eu/ website (“the Website”), or when you wish to open an account and have to go through onboarding procedure, or when You use our online banking services, or when you contact us or provide us with your personal data by filling in forms and applications on our Website, or when we communicate with you via various means of communication tools (email, phone, or Website).

WHO WE ARE

UAB Guru Pay is an electronic money institution (EMI) providing e-money and payment services to customers in Lithuania, other the European Union (the EU) and European Economic Area (EEA) countries, Switzerland, Caribbean countries (Curacao, St. Vincent & Grenadines, St. Lucia), Anjouan. The Company carries out financial services activities such as issuance of e-money, opening of IBAN accounts, payment execution (SEPA, SWIFT, domestic and cross-border), etc. We are a modern variety of an ordinary and well-known bank, which allows all operations to be done without leaving your home, but just simply connected to the online bank.

We respect the privacy of our clients as well as potential customers and random visitors to our Website and we are committed to protecting it. Please, take time and read carefully this Policy and get acquainted with the terms and conditions of processing of your personal data and information about Your privacy rights. If you provide personal data on behalf of someone else, you are required to inform them about processing of their personal data and refer them to this Policy.

This Privacy Policy should be read and applied in conjunction with our Terms and Conditions and our Cookie Policy.

Data controller

UAB Guru Pay, a company incorporated and registered under the laws of Lithuania, with legal entity code 304891889, having its registered office address at J. Basanavičiaus St. 24, LT-03224 Vilnius, Lithuania, (phone number +37052626300, e-mail [email protected]), is acting as data controller of your personal data.

Data protection officer

In case You have any questions regarding the processing of Your personal data or exercise of Your rights, please contact our Data Protection Officer at [email protected].

WHAT PRINCIPLES DO WE FOLLOW WHEN PROCESSING PERSONAL DATA?

We respect Your privacy and collecting and processing only personal data that are necessary for the specified processing purposes. When processing personal data, we comply with applicable legal acts, including the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the “Regulation” or “GDPR”), the Law on Legal Protection of Personal Data of the Republic of Lithuania and other laws regulating the security of personal data. When processing personal data, we adhere to the principles relating to the processing of personal data established in the GDPR:

  • We process personal data in a lawful, fair and transparent manner;
  • We collect personal data for specified, explicit and legitimate purposes and do not further process them in a manner that is incompatible with those purposes;
  • We ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes of data processing specified by us, i.e. we do not collect or store redundant or unnecessary data;
  • We take all necessary measures to correct or delete personal data that is not accurate or correct;
  • We store data only for the period that is necessary for the purposes for which the personal data are processed;
  • We use appropriate technical and organizational security measures that ensure the security of personal data, including protection against unauthorized or unlawful data processing and against accidental loss, destruction or damage, including providing access to data or transferring data only to those employees or service providers, for whom such access is necessary due to the work functions they perform or the services they provide.

WHEN AND HOW WE PROCESS YOUR PERSONAL DATA?

We will only collect and process your personal data when we have a lawful purpose and legitimate ground for the processing. Most commonly, we will process your personal data in the following circumstances:

  • When you gave Your consent to process Your personal data for the particular purpose or purposes
  • When we have to perform the contract, we have entered with You or we are about to enter into and we need to take certain steps at Your request
  • When we need to comply with a legal or regulatory obligation
  • When it is necessary for the purposes of the legitimate interests pursued by the Company or by the third party and Your interests and fundamental rights do not override them.

WHAT PERSONAL DATA DO WE PROCESS?

The personal data we process (collect, use, store, share, etc.) about You depends on who you are and how we interact with you: whether you are our client and user of our online banking and/or other services, whether you are a private person or a representative (shareholder, Ultimate Beneficial Owner (the “UBO”) of our Corporate client, or just a regular visitor to our Website, or whether you apply for an open job position at our Company.

Opening a bank account

When you wish to open a bank account (a personal IBAN account or business account), you must fill in the Registration form, which can be found on our Website, and undergo a Client Onboarding procedure. As a financial institution we are obliged to verify a potential client in accordance with the requirements of the Law on the Prevention of Money Laundering and Terrorist Financing and related legal acts (hereinafter –AML/TFP requirements), including verification of potential client’s identity.

For the purpose of onboarding a new potential client and opening of bank account we shall process:

If you are a Private Client

If you are a Corporate Client
  • Your name (first name, last name)
  • Date of birth / Personal code (if applicable)
  • Email address
  • Phone number
  • Citizenship
  • Identity Card number/ Passport number
  • Permanent residential address (Post code, City, Country)
  • Communication address (if different from permanent residential address)
  • Tax identification number (TIN, if applicable)
  • Country of tax residence
  • Politically Exposed Person status (or relative to PEP)
  • Relation to US (citizen and/or tax resident)
  • Employment status (employer, position)
  • Source of Funds and Source of Wealth details
  • Signature
  • Verification of identity data (photo of your face and of ID document (ID card or passport), identity check status)
  • Technical data (IP address, location, device, browser, etc.).
  • Contact person data (full name, relation to company/position, phone number, email))
  • Signatory data (full name, phone number, email, citizenship, personal code (if not available – date of birth), ID number, country of residence, Tax identification number and tax residency country, PEP status (or relative to PEP), relation to US (citizen and/or tax resident), signature
  • Director (full name, personal code (if not available – date of birth), citizenship)
  • Ultimate Beneficial Owner (full name, citizenship, personal code (if not available – date of birth), ID number, country of residence, Tax identification number and tax residency country, PEP status (or relative to PEP), relation to US (citizen and/or tax resident), occupation (employer, position, source of income/wealth, email)
  • Verification of identity of Corporate client’s representative data (photo of your face and of ID document (ID card or passport), identity check status)
  • Technical data (IP address, location, device, browser, etc.)

The purpose of processing

(i)      To perform initial customer due diligence including verification of customers identity

(ii)     provision of services (opening a personal IBAN account for a Private Client and business account for a Corporate Client)

Legal basis for processing

(i)      to comply with legal obligation (AML/TFP requirements set in the legislation) and legitimate interest of the Company to ensure fraud prevention

(ii)     the performance of the contract or necessity to take steps at your request before entering a contract

The period of data storage

(i)      if onboarding is successful and the contract is concluded – 8 years after the end of contractual relationships. If the contract is not concluded, collected data is stored for 3 months (if the potential client does not respond) or 1 year (if the contract is not concluded due to certain risks we have identified)

(ii)     10 years after closing your account

If you use our online banking services

When you use our online banking services and functionality of our banking website https://online.gurupay.eu/ib/site/login (for making payments, currency exchange), we will collect personal data as necessary for provision of those services:

  • User login data (ID and password)
  • Beneficiary details
  • Payment details
  • Date, time
  • Amount and currency which was used
  • Name and (or) IP address of sender and receiver
  • Accounts number (e.g. IBAN)
  • Details of debit cards and credit cards (including the card number, expiry date and CVC)
  • Amount of transactions
  • Income, currency, currency exchange rate
  • Details of the merchant or ATMs associated with the transaction
  • Location
  • Technical data (information about devices being used, IP address, a unique device identifier, log-in information (login, password and other registration information), browser type and version, mobile network information, mobile operating system, the type of mobile browser used, information about the visit (including the links that have been clicked on (date and time)), page response times, length of visits to certain pages and other similar data)

The purpose of processing

provision of services

Legal basis for processing

the performance of the contract

The period of data storage

10 years after completed transaction

When we implement the Know Your Customer (KYC) principle and Anti-Money Laundering (AML) requirements and perform ongoing monitoring of the client and client’s financial transactions

As part of our services, we are obligated to collect certain personal data and information and conduct obligatory Know Your Customer (KYC) and Anti Money Laundering procedures, and perform ongoing monitoring of the client and client’s transactions s to ensure that these are in line with the client’s risk profile, their financial situation, and the Company’s wider knowledge of the client to detect unusual or suspicious transactions. For this purpose, we shall collect personal data:

If you are a Private Client

If you are a Corporate Client
  • Full name
  • Date of birth / Personal code (if applicable)
  • Email address
  • Phone number
  • Citizenship
  • ID Card / Passport data (number, date of issue and expiration, place of issue
  • Temporary or permanent residence permit in Lithuania (number, date of issue and expiration, place of issue)
  • Permanent residential address (Post code, City, Country)
  • PEP status (or relative to PEP)
  • Source of Funds details
  • Involvement in court procedures or relevant criminal record
  • Transactions data
  • Information on the applied sanctions
  • Signature
  • Technical data (IP address, location, device, browser, etc.).
  • Company name and code
  • Company’s representative (full name, personal code (if not available – date of birth), documents supporting representation of the company (power of attorney, articles of incorporation, etc.), representative’s ID Card / Passport data or Temporary or permanent residence permit in Lithuania data (number, date of issue and expiration, place of issue), citizenship, photo, signature)
  • Director (full name, personal code (if not available – date of birth), citizenship)
  • Ultimate Beneficial Owner (full name, citizenship, personal code (if not available – date of birth), ID number, country of residence, Tax identification number and tax residency country, PEP status (or relative to PEP), relation to US (citizen and/or tax resident), occupation (employer, position, source of income/wealth, email)
  • PEP status (or relative to PEP) – company’s director, UBO
  • Information on the applied sanctions (company’s director, UBO)
  • Source of funds/wealth
  • Involvement in court procedures or relevant criminal record
  • Counterparties (Company/Individual name; country);
  • Agreement with counterparties
  • If Client is an obligated entity – Corporate Client’s customer personal information (Name, Date of Birth, ID, etc.)
  • Transactions data
  • Technical data (IP address, location, device, browser, etc.)

The purpose of processing

To ensure prevention of money laundering and terrorist financing bey performing Know Your Customer procedure and ongoing monitoring

 

Legal basis for processing

to comply with legal obligation (KYC/AML requirements set in the legislation)

 

The period of data storage

8 years after the end of contractual relationships

 
       

If you communicate with us

When you contact us by e-mail and online banking or phone, in order to answer to your requests and provide you information and support, we shall process:

  • Full name
  • Address
  • E-mail
  • Personal code (if not available – date of birth)
  • ID number / Passport number
  • Your login data (log name and password)
  • Phone number
  • Other personal information you provide in your communication with us or is necessary to respond to your request
  • Technical data (IP address, location, device, browser, etc.) if you communicate through electronic means

The purpose of processing

to answer to client’s questions and requests while providing support

Legal basis for processing

the performance of the contract

The period of data storage

10 years after closing your account

When you contact us by phone, in order to identify you and to answer to your requests and provide you support we may record telephone calls and shall process:

  • Full name
  • User ID
  • Personal code (if not available – date of birth)
  • ID number / Passport number
  • Email
  • Phone number
  • Language you have chosen for the conversation
  • Recorded conversation
  • Other personal information you provide in your communication with us or is necessary to respond to your request
  • Technical data (IP address, location, device, browser, etc.)

The purpose of processing

To answer to your request and to improve the quality of our services

Legal basis for processing

Your consent and legitimate interest of the Company to ensure and/or improve the quality of our services

The period of data storage

180 days after request was solved

If you file a complaint with us

When you file any complaint in connection with our services, we are obliged to handle the complaint, and we must process:

  • Full name
  • Date of the complaint
  • Address
  • Phone number
  • E-mail address
  • Other personal information you provide in your complaint
  • Signature
  • Technical data (IP address, location, device, browser, etc.) if your complaint is submitted by electronic means

The purpose of processing

to ensure proper handling of received complaints

Legal basis for processing

to comply with legal obligation (Resolution of the Board of the Bank of Lithuania No. 03-105 for Rules for examining financial market participants complaints)

The period of data storage

3 years from the date of the final reply to the complainant

If you are applying for an open position in the Company (Recruitment process)

The Company is constantly growing and has open positions in the Company. If you are applying for a job at our Company in response to job advert, whether advertised on a Company’s profile on LinkedIn or you were recommended by third person (e.g. by current employees of the Company), we shall process personal data of job applicants and potential candidates for employment in order to assess the suitability of the candidate for a particular position you are applying for. During the recruitment process we may process the data that you provide us with your resume or application and/or we receive from other sources (e.g. recommendations from your previous employers):

  • Full name
  • Contact details (phone number, email)
  • Education
  • Work experience
  • Professional experience (certificates)
  • Other information that you provide on your resume and cover letter (including but not limited to photograph, date of birth, residential address, etc. which are not mandatory and provided by sole intention of the applicant)
  • Recommendations from previous employers
  • Results/findings of the interview with the candidate
  • Communication with the candidate during the recruitment process
  • Technical data (IP address, location, device, browser, etc.) if your application is submitted by electronic means

The purpose of processing

to identify and evaluate candidates for potential employment (assessing his/her suitability for particular position) and contacting candidates

Legal basis for processing

your consent (by applying for a particular position in the Company and sending your resume and other documents to us)

The period of data storage

until the until the recruitment process is completed, but not longer than 1 year from the date of your consent

DIRECT MARKETING

We may engage in various marketing activities and try to improve our Services and user experience. We need to know what Services are or could be most interesting and useful for our clients, from which countries they come to our Website, how often they return, which browsers they use, on which devices the Website is browsed, what is their IP address. We may collect that data by using third party tools such as cookies and other technologies. Please see our Cookie Policy for further details.

If you are our client or expressed an interest in Company’s services and products, shall send you information you have requested and we from time to time shall send you new information about our services and products, latest blog posts and updates from industry experts as well as we may ask you to evaluate our services or give us your feedback. For this purpose, we shall process

  • Your name
  • Email
  • Phone number

The purpose of processing

to provide you with information about our services or which could be interesting for you

Legal basis for processing

Your consent and legitimate interest of the Company to promote its services/products and providing customers with information and improve the quality of our services

The period of data storage

5 years

You can cancel receiving information from us and/or unsubscribe by clicking a link at the end of the message or by contacting us at [[email protected]]

If you shall not provide us your personal data

In case we need to process personal data by legal obligation or under the terms of a contract we have entered with you (or if we need to take steps at your request prior to entering into a contract) and you do not provide us with necessary personal data, we may not be able to conclude and execute a contract with you and provide services.

Links to other sites

Our Website may contain links to other sites, e.g. links to social media websites such as our LinkedIn account (https://www.linkedin.com/company/gurupay/about/). This Policy is applicable only with respect to our Website and online banking website, but not any other sites, therefore we strongly recommend to review privacy policies of any websites that you may reach by following hyperlinks presented on our Website. We have no control and no responsibilities regarding any data processing by data controllers of such other websites.

WHO CAN WE SHARE YOUR DATA WITH?

We put our best efforts to keep your data safe and always require the highest level of security and confidentiality from our employees and partners.

We use third party service providers to undertake processing operations on our behalf, and this may require us to share your personal data with them when they provide services to Guru Pay. If our service providers need access to your personal data and/or to process them to provide services to us, this will be done only according to Data processing agreements we shall sign with all our data processors. Nevertheless, we will control and shall always remain responsible for the use of your personal data. The categories of entities that may have access to your personal data:

  • Providers of information technology services such as hosting services and other key operational systems such as banking modules
  • Providers of AML/TFP, KYC and fraud prevention services
  • Other professional service providers such as accountants, legal consultants, audit firms etc.
  • Our business partners, agents or intermediaries who are a necessary part of the provision of our products and services (including payment card providers, other financial institutions, correspondent banks, etc.)
  • State institutions to whom we are obliged to provide data (State Tax Inspectorate, Bank of Lithuania, Financial Crime Investigation Service, the police and/or other lawful enforcement agencies, courts, etc.)

We may also provide your data (or allow access to your data) for our IT support service providers on case-by-case basis in case of specific incident resolution, e.g. customer service issue, security incident investigation, etc.

Some of our service providers and partners are established outside the European Union (EU) or the European Economic Area (EEA) thus in certain situations we may need to transfer your personal data outside the EU/EEA. Whenever we transfer your data to the third countries outside the EEA, we ensure that that an adequate degree of protection is afforded to your data by ensuring at least one of the following safeguards is implemented:

  • transfer your data to countries that ensure an adequate level of protection of personal data by decision of the European Commission (“Adequacy Decision countries”);
  • transfer of your data based on appropriate safeguards implemented by data controller or processors, i.e. at least we will enter into agreements, such as standard contractual clauses (SCC) and require data receivers to provide the appropriate level of protection for the data;
  • we may seek your consent for transfers of your personal data for specific purposes.

WHAT ARE YOUR RIGHTS?

As a data subject you have certain rights in relation to your personal data. You can exercise the rights that are mentioned further by contacting us at [email protected].

  • The right of access – you may, at any time, request access to the personal data that we hold which relates to you and receive a copy of data that we hold about you to enable you to check that it is correct and to ensure that we are processing that personal data lawfully.
  • The right to rectification– you may, at any time, request us to correct personal data that we hold about you which you believe is incorrect or inaccurate. We may ask you to verify any new data that you provide to us and may take our own steps to check that the new data you have supplied us with is right
  • The right to erasure (“right to be forgotten”) – you may also ask us to erase personal data if you do not believe that we need to continue retaining it. We are not always obliged to erase personal data when asked to do so; if, for any reason, we believe that we have a good legal ground to continue processing of your personal data that you have asked us to erase (e.g. your personal data is still processed for other legitimate purposes or we have to comply with a legal obligation or for the establishment, exercise or defense of legal claims). If personal data is erased under your request, we will only retain such copies of the information as are necessary for us to protect our or third parties’ legitimate interests, comply with governmental orders, resolve disputes, troubleshoot problems, or enforce any agreement you have entered with us.
  • The right to restrict processing – in those situations when processing of your personal data is based on our legitimate interest you are entitled to ask us to stop processing it in that way if you feel that our continuing to do so impacts on your fundamental rights and freedoms or if you feel that those legitimate interests are not valid. You may also ask us to stop processing your personal data in these situations:
  • if you dispute the accuracy of personal data we are processing and want us to verify that data’s accuracy
  • where it has been established that our use of the data is unlawful, but you do not want us to erase it
  • where we no longer need to process your personal data (and would otherwise dispose of it) but you wish for us to continue storing it to enable you to establish, exercise or defend legal claims
  • The right to data portability – you can ask us to provide you or transmit those data directly to another controller of your choice, where technically feasible, certain personal data that we hold about you in a structured, commonly used machine-readable format. However, you must keep in mind that you may exercise the right of data portability only on data that is processed based on your consent or on a performance of a contract between you and us and that is being processed by automated means. We can guarantee only transferring data to you in such occasions and cannot be responsible with technical compatibility of other party systems where data transfer is requested.
  • The right to withdraw consent regarding processing of personal data – you may withdraw your given consent for processing of personal data for particular purposes at any time by informing us at [[email protected]]. or following the procedure that was specified before obtaining your consent.
  • The right to object (to automated decision making and profiling) – you have the right to be informed about the existence of any automated decision making and profiling of your personal data and where appropriate, be provided with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing that affects you.
  • The right to lodge a complaint with a supervisory authority – if you think that your rights have been violated, you may file a complaint to a State Data Protection Inspectorate (L. Sapiegos str. 17, LT-10312 Vilnius , phones: +370 5 271 2804 / 279 1445, fax +370 261 9494, email [email protected])

HOW CAN YOU EXERCISE YOUR RIGHTS?

You can submit a request by sending it by mail or e-mail or by submitting it through an online banking system. The request must provide sufficient details that allow us to properly understand, evaluate, and respond to it (should be clear, include your name, information about what rights and to what extent you wish to exercise, and how you would like to receive a response, and the request must be signed). If you submit your application electronically, the information will also be provided electronically, unless you request in advance to provide it in different way.

Your request must also provide sufficient information that allows us to reasonably verify you are the person or an authorized representative of a person whose personal data we are processing. If your request is submitted by an authorized representative, a written authorization (power of attorney) and information that verifies the identity of the representative must be enclosed with the request.

We cannot provide you with the information or exercise your other rights if we cannot verify your identity. If we cannot identify you from the information provided or if we have reasonable doubts about your identity, we may request additional you to provide additional information about yourself.

We will endeavor to process your requests and provide you with the information as soon as possible, but no later than 30 calendar days from the date of receipt of your request. If due to certain circumstances, such as the complexity of the submitted request (e.g. if it is necessary to seek the assistance of data processors) or the large number of other requests processed by the Company, the period may be extended up to two further months. In such case we will inform you of any extension within one month of the receipt of your request together with the reasons for the delay.

Requests are processed and information and data are provided free of charge, but we reserve the right, in certain cases, to either waive your rights (where the request is unreasonable or disproportionate or repetitive), or the provision of information may be subject to charges – a reasonable fee considering the administrative costs of providing information or communication.

UPDATES OF THE PRIVACY POLICY

We may change this Policy from time to time based on changes to applicable laws and regulations or other requirements applicable to us, changes in technology, or changes to our business. Any changes we make to the Policy in the future will be posted on our Website at https://gurupay.eu/privacy-policy/. We may also notify you directly via our banking website about the changes and the effective date of the updated Privacy. We encourage you to review the information and any changes to the Policy regularly. If you continue to use our services after the effective date that will mean that you have accepted the changes.

If you have any questions about our Privacy Policy or processing of your personal data, please contact us or our Data Protection Officer by contacts mentioned above.

This Privacy Policy was last updated in August 28, 2024.