PRIVACY POLICY

TransaPay (High-Risk Payment Orchestration Platform)

Effective Date: December 11, 2025
Website: https://transa-pay.com

1. DATA CONTROLLER INFORMATION

This Privacy Policy describes how personal data is collected, used, and shared by:

SES TECHNOLOGY S.P Z.O.O (KRS 0001143888)
Address: ul. Głogowska 82 / 22, 60-741 Poznań, Poland
Email: legal@transa-pay.com

For the purposes of applicable data protection laws, SES TECHNOLOGY acts as the Data Controller or Joint Controller, depending on the processing context and involvement of third-party regulated financial institutions.

2. SCOPE OF THIS POLICY

This Privacy Policy applies to:

• Merchants using TransaPay services

• Merchant representatives, directors, and beneficial owners

• End-users whose payment data is processed through TransaPay infrastructure

• Visitors to the website transa-pay.com

3. NATURE OF THE SERVICE

TransaPay is a payment orchestration and technology infrastructure provider enabling connectivity between merchants and third-party regulated financial institutions, including:

• Licensed payment service providers (PSPs)

• Acquiring banks

• Card processors and networks

• Compliance and fraud prevention providers

TransaPay does not act as a bank, EMI, or custodian of funds. Payment execution and settlement occur exclusively through regulated third parties.

4. CATEGORIES OF PERSONAL DATA COLLECTED

Depending on usage, we may collect and process the following categories of personal data:

4.1 Merchant Onboarding (KYB / Compliance)

• Company name, registration number, and corporate structure

• Directors, shareholders, and beneficial owner identities

• Government-issued identification documents

• Proof of address and business operations

• Banking and settlement account details

• Website and business model information

4.2 Transaction Data

• Payment amounts, timestamps, and currency

• Card metadata (masked PAN, BIN data where applicable)

• Payment routing information

• Refund and chargeback data

• Fraud and risk scoring signals

4.3 Technical Data

• IP address and geolocation (approximate)

• Device and browser information

• Log data and system access records

• Cookies and tracking identifiers

4.4 Communication Data

• Emails and support communications

• Compliance correspondence

• Legal documentation exchanges

5. PURPOSES OF PROCESSING

Personal data is processed for the following purposes:

• Merchant onboarding and identity verification (KYB/KYC)

• Compliance with AML/CTF obligations

• Fraud prevention, detection, and risk management

• Transaction routing and payment orchestration

• Chargeback and dispute management

• Regulatory reporting obligations

• System security, monitoring, and audit logging

• Customer support and operational communications

• Legal claims and dispute handling

6. LEGAL BASES FOR PROCESSING (GDPR)

We rely on the following legal bases under Regulation (EU) 2016/679 (GDPR):

• Article 6(1)(b) – Performance of a contract

• Article 6(1)(c) – Legal obligation (AML, accounting, financial compliance)

• Article 6(1)(f) – Legitimate interests (fraud prevention, risk monitoring, platform security)

• Article 6(1)(a) – Consent (where explicitly required, e.g., cookies or marketing)

Where special category data is incidentally processed (rare and indirect), appropriate safeguards are applied.

7. DATA SHARING & THIRD PARTIES

Personal data may be shared with the following categories of recipients:

7.1 Regulated Financial Institutions

• Acquiring banks

• Payment service providers (PSPs)

• Card networks and settlement partners

7.2 Compliance & Risk Providers

• AML/KYC verification providers

• Fraud detection systems

• Sanctions screening databases

7.3 Service Providers

• Cloud infrastructure providers

• IT and security service vendors

• Analytics and monitoring tools

7.4 Legal & Regulatory Authorities

Where required by law or regulatory obligation, data may be shared with:

• Financial regulators

• Law enforcement agencies

• Tax authorities

• Courts or legal representatives

TransaPay does not sell personal data.

8. INTERNATIONAL DATA TRANSFERS

Data may be transferred outside the European Economic Area (EEA) where necessary for operational or processing purposes.

In such cases, TransaPay ensures appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission

• Adequacy decisions (where applicable)

• Additional technical and organisational safeguards

9. DATA RETENTION

Personal data is retained only for as long as necessary for:

• Contractual obligations

• Regulatory AML/CTF requirements (typically 5–10 years depending on jurisdiction)

• Legal claims and dispute resolution

• Audit and financial reporting obligations

After expiration of retention periods, data is securely deleted or anonymised.

10. DATA SECURITY

TransaPay implements appropriate technical and organisational measures, including:

• Encryption in transit and at rest

• Access control and least-privilege permissions

• Secure logging and monitoring systems

• Segregation of sensitive financial data

• Regular security assessments and audits

No system is entirely immune to risk, but industry-standard safeguards are continuously maintained.

11. DATA SUBJECT RIGHTS (GDPR)

Individuals may exercise the following rights under applicable law:

• Right of access

• Right to rectification

• Right to erasure (“right to be forgotten”)

• Right to restriction of processing

• Right to data portability

• Right to object to processing

• Right to withdraw consent (where applicable)

Requests may be submitted to: legal@transa-pay.com

We may require identity verification before processing any request.

12. AUTOMATED DECISION-MAKING

TransaPay and its partners may use automated systems for:

• Fraud detection and prevention

• Risk scoring and transaction monitoring

• AML screening and sanctions checks

Such systems may influence onboarding approval, transaction routing, or risk-based restrictions. Human review is available in certain cases upon request or regulatory requirement.

13. COOKIES AND TRACKING TECHNOLOGIES

The website may use cookies and similar technologies for:

• Authentication and session management

• Security and fraud prevention

• Performance and analytics

• User experience optimisation

Users may control cookie preferences through browser settings or consent banners where applicable.

14. CHILDREN’S DATA

TransaPay services are not intended for individuals under 18 years of age. We do not knowingly collect data from minors.

15. CHANGES TO THIS POLICY

We may update this Privacy Policy at any time to reflect:

• Regulatory changes

• Operational adjustments

• Security improvements

• Third-party processor updates

Material changes will be communicated via website notification or email where appropriate.

16. CONTACT

For any questions relating to this Privacy Policy or data protection matters:

SES TECHNOLOGY SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ
Email: legal@transa-pay.com
Address: ul. Głogowska 82 / 22, 60-741 Poznań, Poland

17. FINAL STATEMENT

TransaPay operates within a regulated financial ecosystem involving multiple independent financial institutions. As such, data processing is inherently distributed, risk-sensitive, and subject to legal and regulatory obligations that may supersede individual service preferences.