Fastoo

Privacy policy

Personal Data Protection Policy

Launch date: February 2025

New Payment System LLC

405550899

Address: Merab Aleksidze Str. N12, Tbilisi, Georgia

www.fastoo.com info@fastoo.com support@fastoo.com

Introduction
When providing payment services, 'New Payment System' LLC (hereinafter - the provider) (405550899) acts in accordance with the norms and requirements stipulated by the legislation of Georgia and the best international practices
It is important for the provider to ensure the protection and security of data about its customers in order to implement high-quality services and maintain a leading role in the market.
The purpose of this personal data protection policy (hereinafter - the policy) is to define the rights and obligations of New Payment System LLC as a data processor and provider, as data subjects, and to explain the bases and purposes of personal data processing.

Definition of terms

Personal data (hereinafter - data) - any information related to an identified or identifiable natural person. A person is identifiable when it is possible to identify him directly or indirectly, in particular, with an identification number or a characteristic of a person with physical, physiological, psychological, economic, cultural or social signs.
Biometric data - a physical, mental or behavioral characteristic that is unique and permanent for each natural person and by which it is possible to identify this person (fingerprint, foot print, color membrane of the eye, retinal membrane of the eye (retinal image), facial characteristic)
Data processing - any action performed on data using automatic, semi-automatic or non-automatic means, namely, collection, recording, photographing, audio recording, video recording, organizing, storing, changing, restoring, retrieving, using or disclosing data for transmission, distribution or otherwise making available by making, grouping or combining, blocking, erasing or destroying.
Data subject (hereinafter - user) - user of the provider, a natural / legal person, about whom the data is processed
Consent - the voluntary consent expressed by the user (data subject) to the processing of data for a specified purpose after receiving relevant information orally, by telecommunication or other appropriate means, by which it is possible to clearly determine the will of the data subject
Data processor - for the present purposes - a provider who individually or jointly with others determines the purposes and means of personal data processing, performs data processing directly or through an authorized person;
Authorized person - an employee of the provider who processes data for or on behalf of the data processor;
Third party - natural or legal person, public institution, except for the data subject, personal data protection service, data processor and authorized person;

Basic provisions:
1. The processing of the user's personal data (including biometric data) is an integral part of the use of the provider's website and the services and products offered by the provider;
2. By accessing the provider's website, using the services and products, the user expresses his consent that he has familiarized himself with this policy, that the conditions defined by the policy are clear and understandable to the user, and that the provider processes his personal data in accordance with the legislation of Georgia and this policy;
3. When registering in the provider's system and using services / products, this policy becomes an appendix to the general service agreement;
4. The provider is entitled to make changes to the policy at any time, about which the user will be notified using the updated version on the website and/or in the form of a message sent by means of communication;
5. This policy is approved by the director of the provider and becomes effective from the date of its signature;
6. During data processing, the provider provides:

- to process data fairly and legally, without violating the dignity of the data subject;

- processing data only for specific, clearly defined, legal purposes;

- to store data only for the period necessary to achieve the purpose of data processing;

For direct marketing purposes, the Provider may process the following data: name(s), address, telephone number, e-mail address;
Biometric data can be processed in the course of activities, for the purposes of security and property protection, as well as to prevent the disclosure of confidential information;
The Provider may carry out data processing directly by himself (authorized employees) and/or through persons in business relations with him (hired persons), including persons providing external support services, which include but are not limited to the following activities: data centers, hosting, cloud hosting , customer support centers, marketing and other functions;
Appropriate organizational and technical measures for data protection have been adopted during data processing;
The provider is not responsible for the protection of personal data of users on third-party websites;

When processing data, the provider relied on the following grounds:
1. If there is a data subject's consent;
2. Data processing is subject to the law;
3. Data processing is required by the data processor to fulfill the duty assigned to him by law;
4. According to the law, the data is publicly available and/or the data subject has made it available;
5. Data processing is necessary to consider the application of the data subject (to provide services to him);

Data processing:
1. Data processing is necessary for the purpose of providing services to the user and the user's use of the provider's products:
2. 'New Payment System' LLC, as a payment service provider, is a regulated entity that, for the purposes of service implementation, must identify and verify the user, request additional information if necessary, evaluate and store it for the period established by law;
3. The provider ensures personal data processing in accordance with legal requirements.

Purposes of processing:
1. Establishing/verifying/confirming the user's identity;
2. Signing, executing and/or taking further actions for services and/or other type of contract with the customer;
3. transfer of funds (including payments) and, in accordance with the law, to send the necessary information related to the transfer/accompanying the transfer;
4. Implementation of Know Your Customer (KYC) requirements;
5. the user's so-called Liveness check;
6. Ensuring compliance with legal requirements related to payment services
7. dispute management, customer support and administration of activities necessary for service implementation (including telephone and electronic communication records) and monitoring;
8. Open communication with the customer (provision of information);
9. direct marketing;
10. statistical analysis;
11. ensuring compliance with other legal requirements imposed by the provider;

Processed data:
1. To fulfill the above-mentioned purposes, the provider processes and stores the following data about the user:
  1. name and surname;
  2. personal number / identification number;
  3. address;
  4. date of birth;
  5. user photo;
  6. citizenship;
  7. other additional data provided in the user's identity document;
  8. Liveness check process record;
  9. e-mail address;
  10. mobile/contact number;
  11. IP address;
  12. information about the user's activities;
  13. other additional documentation / copies submitted by the user during the service process;
  14. records of communication with the customer;
  15. Transactions, operations, deals performed by the user when receiving the service;
  16. other data required by the legislation of Georgia, which is necessary for the implementation of the provider's activities;
2. Data is collected, processed and stored for at least 5 years after termination of business relationship with the customer, unless otherwise provided by law;

Acquisition and transfer of data
1. The source of data acquisition may be the customer directly, other financial institutions (including commercial banks, microfinance organizations, payment service providers, virtual asset service providers and others), public bodies and institutions, state and non-state registers, persons authorized to represent the user, agencies, companies , which provide the registries of international rights, registration, providers of services for the provider and other persons;.
2. Data may be transferred to the following persons: supervisory/regulatory body, financial institutions, correspondents, investigation service and court, auditors, other organizations with legitimate interest and other persons with legal basis.

Authority of the data subject (user):
1. The data subject has the right to:
  1. request the data processor at any time to stop using data about him for direct marketing purposes;
  2. to request information about data processing from the data processor;
  3. to receive information about the processing of data about him immediately upon request or no later than 10 days after the request, if the response to the request for information is required by the provider:

searching and processing or consulting information in another institution or structural unit;
Searching and processing of significant volumes of unrelated documents;
consultation with its structural subdivision or other public institution in another settlement;

to choose the form of providing requested information regarding data processing;
request the correction, updating, addition, blocking, deletion and/or destruction of data about him if they are incomplete, inaccurate, not updated or if their collection and processing was carried out against the law. For the purposes of this clause, a request may be made in writing, orally or electronically;

The powers specified in clause 9.1 may be limited if the realization of these rights may endanger:
1. State security or defense interests;
2. public safety interests;
3. crime detection, investigation and prevention;
4. important financial or economic (including monetary, budgetary and tax related) interests of the country;
5. the rights and freedoms of the data subject and others;
The user has the right at any time, without explanation, to refuse the consent given by him and to request the termination of the data processing and/or the destruction of the processed data;
The user has the right to apply to the personal data protection service or to the court in case of violation of the law of Georgia `On personal data protection` and request the blocking of data before a decision is made;

Authority of data processor (provider):
1. Based on the written consent given by the data subject, the provider is authorized to process any data for direct marketing purposes;
2. to process data on the basis of a legal act;
3. to process data in accordance with its own activities and to ensure the fulfillment of the requirements defined by the law;

Obligation of the data subject (user):
1. to get acquainted with the proposed policy;
2. In case of familiarization and acceptance of the conditions defined by the policy, express consent to the processing, storage and recording of data about him;
3. provide the Provider with accurate, true and unmistakable information/data;

Obligation of data processor (provider):
1. The data processor is obliged to stop the processing of data for direct marketing purposes and/or ensure the termination of data processing for direct marketing purposes by an authorized person no later than 10 working days after receiving the data subject's request;
2. To provide the data subject with the following information:
  1. Name and registered address of data processor and authorized person (if any);
  2. which data about him are processed;
  3. Legal basis for data processing;
  4. how the data was collected;
  5. To whom the data about him was given, the basis and purpose of giving the data. Providing the mentioned information is not mandatory if the data is public according to the law;
  6. purpose of data processing;
  7. Is the provision of data mandatory or voluntary; if it is mandatory - the legal consequences of refusing it;
  8. The right of the data subject to receive information about the data processed about him, to request their correction, update, addition, blocking, deletion and destruction;
3. to take organizational and technical measures that ensure data protection from accidental or illegal destruction, alteration, disclosure, extraction, any other form of illegal use and accidental or illegal loss;
4. record all the actions performed on the data in electronic form;
5. with respect to data available in non-electronic form, to ensure accounting of all actions related to data disclosure and/or change;
6. ensure the adoption and existence of adequate security measures for risks related to data processing;
7. When disclosing data, record the following information: which data will be disclosed, to whom, when, and on what legal basis. The mentioned information is stored together with the data about the data subject during their storage period;
8. At the request of the data subject, to correct, update, add, block, delete or destroy the data if they are incomplete, inaccurate, not updated or if their collection and processing was carried out against the law. For the purposes of this clause, data correction, updating, addition, deletion and disposition are carried out within 15 days of receiving the request, and the decision on blocking is made within 3 days and is valid until the decision on correction, update, addition, deletion and destruction of data is made by the data processor;
9. According to the user's request, to stop the data processing and/or to destroy the processed data within 5 days from the submission of the application, if there is no other reason for the data processing.