-
I. GENERAL PROVISIONS
- This Privacy policy (hereinafter referred to as the “Policy”) is the main document that sets out the basis as to what happens to any Personal data that You provide to Verified payments, UAB, (hereinafter referred to as “Verifo”, “We”, “Us”), or that We collect from third parties about You while You are using or applying for Our Services and explains how We process Your Personal data through any relationship We have. We collect Personal data from You or other sources when You visit Our websites https://verifiedpayments.com, https://verifo.com. Our Services may be available through Our or Our intermediaries’ websites, internet banking systems, mobile apps or application programming interfaces (all of them or any of them hereinafter may be referred to as the “Platform”).
- Please pay attention to the fact, that We update Our Policy from time to time. For this reason, We encourage You to review this Policy regularly. If any major updates are made, We will inform all Service users as required by law via email.
- Your Personal data is managed by Verified Payments, UAB, operating under the brand name “Verifo” (legal entity code 304576936). Verifo’s office is located at Švitrigailos st. 11C, LT-03228, Vilnius. Verifo is a licensed e-money institution, authorized by the Bank of Lithuania under e-money license No. 27, issued on 13/02/2018. The Bank of Lithuania also supervises Verifo’s activities. Additionally, Verifo has appointed a Data Protection Officer (hereinafter referred to as the “DPO”), who can be contacted at [email protected] for any data protection-related inquiries.
- This Privacy Policy explains the key principles We adhere to when gathering, storing, and handling Your Personal data and other related information. It also clarifies the reasons for processing Personal data, identifies the sources and recipients involved, and outlines other essential aspects of data management when using Our Services as a payment service provider.
- In order to show respect to Your individual rights to privacy, Verifo acts according to the Law on the Legal Protection of Personal data of the Republic of Lithuania, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data (hereinafter referred to as “General Data Protection Regulation” or “GDPR”) and other applicable legal regulation, including any amendments or replacements to them.
- It is possible that Verifo may engage data processors and third-parties, who will perform certain functions on behalf of Us. Under those circumstances, We guarantee the imposition of the non-disclosure obligation, which will prevent parties from using information beyond the scale necessary to perform the given functions. Security is highly important to Us. We take all reasonable measures to protect Personal data from loss, theft, misuse, and unauthorised access, disclosure, alteration, and destruction, including industry-standard security and encryption features. The employees, agents, and other parties who have access to Your Personal data are committed to ensuring its safety even upon termination of the contractual relationship.
- In case You provide information about other natural persons to Verifo, You undertake to make this Policy known to them before the disclosure of such information to Verifo. Thus, if an Account is opened on behalf of a legal entity by its Head or another representative, You must properly notify all relevant individuals (such as Beneficial Owners, etc.) about the transfer of their data to Verifo and ensure they have access to this Policy.
- If You disagree with any part of this Policy, You should not provide Personal data or stop using the Platform and/or Our Services immediately. Failure to agree with this Policy may result in the inability to use the Platform and/or Our Services.
- This Policy applies only to the data processed through the provision of Our Services and does not cover any third-party services that You might use while interacting with Us (e.g., payment processors, social media, internet providers). Please consult the privacy policies of those third-party service providers directly.
-
II. DEFINITIONS
- Account – shall mean an e-money and payment Account in the IBAN (International Bank Account Number) form, opened in the Verifo System in the name of the Client and used to perform payment, currency exchange and other transactions;
- AML – shall mean anti–money laundering and counter–terrorism financing regulations;
- Beneficial Owner – shall mean any natural person who owns the Client (a legal person or a foreign undertaking) or controls the Client and/or the natural person on whose behalf a transaction or activity is being conducted;
- Client – shall mean the natural person who is making payment to Our System, applying for Our Services, using Our Platform and/or Our Services or Representative, Beneficial owner of Our (potential) Client whose Personal data is provided to Us;
- Consent – means any freely given, specific, informed, and unambiguous indication of the Data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of Personal data relating to them;
- General Data Protection Regulations or GDPR – shall mean General Data Protection Regulation 2016/679 and other legal regulations;
- Data subject or You – means any identified or identifiable natural person, whose Personal data is processed by data controller (Us);
- E-money – shall mean electronically stored monetary value on the Account;
- EU – shall mean European Union;
- Head of Legal Entity or Representative – shall mean natural person (-s) that are entitled to make decisions on behalf of the legal entity under articles of association or other documents of establishment;
- KYC – shall mean procedures taken by Us to verify the identity of the Client, understand the nature of Client’s activity and assess money laundering and terrorist financing risks associated with the Client;
- Personal data – shall mean any information relating to an identified or identifiable natural person;
- PEP – shall mean politically exposed person;
- Platform – shall mean Our or Our intermediaries’ websites, internet banking systems, mobile apps or application programming interfaces;
- Processing – means any operation or set of operations which is performed on Personal data, such as collection, recording, storage, erasure, destruction, etc.;
- Services – shall mean the Payment Services, currency exchange Services and other Services provided by Verifo to You as described in this General Payment Service Agreement and its supplements;
- Supervisory institutions – shall mean Bank of Lithuania, State Data Protection Inspectorate, Financial Crimes Investigation Service, other institutions that supervise Our activity;
- Verification of the Identity – shall mean any procedures established by Verifo designated to identify Client, one’s Beneficial Owners and gather other information required by law;
- Verifo, We, Us – shall mean Verified Payments, UAB as stated above;
- Websites – shall mean https://verifiedpayments.com, https://verifo.com.
-
III. THE PURPOSE OF PROCESSING
- Verifo processes Personal data of its Clients (and their Representatives, Beneficial owners) in order to provide Services, fulfill contractual obligations, and comply with the legal requirements governing Payment Services. This includes processing Personal data to ensure compliance with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. You may choose not to disclose any information with Us, however, without information about You, We may not be able to provide You with the Services or the support You request or require.
- Personal data processing for the purpose of providing the Services of Verifo
- In the course of providing its Services, Verifo may process the following data of its Clients, including personal identity details, contact information, and other relevant data. Verifo may collect this data directly from Clients or through authorised financial institutions or other enterprises that the Clients engage with.
- When providing Services of Verifo, Our or Our intermediaries’ websites, internet banking systems, mobile apps or application programming interfaces can process the following data of Our Clients, related to the identification of a natural person:
- name and surname;
- personal identification number or any other unique sequence assigned for identification purposes;
- date of birth;
- other personal identification data.
- Contact details:
- residential or business address;
- telephone number;
- email address;
- other contact details.
- Device and usage data:
- the operating system (OS) of Your device;
- the type and version of Your web browser used to access Verifo Services;
- Your device’s IP address and geolocation data;
- other device and usage data.
- Clients of Verifo also have the ability to access their individual Accounts on the Platform, where information about Services and transactions is available. Verifo processes Personal data to properly administer these Accounts, including:
- Client user ID;
- Login details and passwords;
- Timestamps;
- other relevant information to access the Account.
- When You use Verifo’s Payment services, We may collect details related to Your payment card, including:
- data on transactions carried out by the Client;
- Client’s card number;
- CVV or CVC code (security code on the card);
- other relevant information required to process payments securely.
- Verifo processes this Personal data on the basis of the agreements concluded with Clients. Verifo commits to collect only the minimum necessary Personal data required to achieve the purposes specified in this Policy.
- Automated decision making might be used for Verification of Your identity, monitoring Your operations, and activity in the Account. These processes are implemented to ensure compliance with legal requirements and the proper execution of Our Services. However, they do not produce legal or similarly significant effects without human intervention without Your explicit consent. If automated decision-making is necessary for providing Services or legal compliance, appropriate safeguards will be in place to protect Your rights, including the possibility of manual assessment.
- In cases where the business relationship was not established for reasons unrelated to AML (e.g., You decided not to complete the application or verification process for personal reasons), Verifo will retain Your Personal data for up to 1 (one) year from the date of the last interaction, unless a longer period is required by law. Data retention ensures the potential resumption of the process if requested, but after the 1 (one) year period, the data will be securely erased.
- Personal Data is retained for 8 (eight) years after the termination of the business relationship to meet legal requirements and maintain accurate records.
- Personal data processing for the purpose of preventing money laundering and terrorist financing
- In compliance with the AML regulations, Verifo is required to establish the identity of its Clients, their Representatives, and beneficiaries before entering into official business relationship. In the event that the requirements established in the law are not fulfilled properly, the person may not become a Client of Verifo.
- By properly implementing the AML requirements, Verifo can obtain additional Personal data on Clients, their Representatives and beneficiaries from other third parties (for example, Client data can be verified in the databases on wanted persons and in international databases which accumulate and store information about the persons involved in politics, etc.). This can include verification against databases of PEPs, international databases, or registries of wanted individuals.
- Verifo processes this data in order to prevent money laundering, fraud, and financial crimes, ensuring that all AML requirements are met. Verifo stores Personal data of its Clients, their Representatives, and beneficiaries for the legal retention period, i.e., 8 (eight) years following the termination of business relationships or transactions. In specific cases defined by law, certain data may be stored for a shorter period.
- Personal data processing for the purpose of sending newsletters and marketing communications
- Verifo may process the Personal data of its Clients or their Representatives for direct marketing, statistical purposes, including sending newsletters about Verifo’s Services, updates, and other related information sent by e-mail to its Clients.
- For these purposes, Verifo processes the following Personal data:
- name and surname;
- email address;
- Personal data (such as used Services, location, IP, behaviour, etc.) to form a view on what We think You may want or need, or what may be of interest to You and show You adverts in Our website.
- Personal data is processed on the basis of Your consent.
- Future and current Clients of Verifo have the right to object to or withdraw their consent for the processing of their Personal data for the purpose of receiving newsletters at any time, whether before or after the processing begins. This objection can be submitted in writing by contacting Verifo via email [email protected].
- If a Client has provided consent for marketing purposes, Verifo will store their data for 8 (eight) years after the end of the business relationship. Otherwise, if business relationship is not started, or the Client withdraws the consent, this Personal data will be stored for 1 (one) year after the withdrawal of the consent by the Data Subject.
- Recipients of Personal data and other information
- By providing Our Services, We may transfer some Personal data of Our Clients to third countries as to perform Your payment transaction to third country recipient or using third country partners services for the payment transaction. Please be advised that The European Commission has so far recognised Andorra, Argentina (commercial organisations), and others as providing adequate protection. The data to the other third countries is transferred for the purpose of the performance of a contract between You and Us.
- We may provide Your data to selected third parties to, including:
- Supervisory institutions – for entities performing statutory functions, such as regulatory authorities, law enforcement, bailiffs, and notaries;
- Authorised Data Processors – third party service providers appointed by Us to process data on its behalf in compliance with legal requirements;
- Third Parties for Legal Enforcement – if the Client breaches a contract with Us, certain third parties may be engaged to protect and enforce Our legal rights;
- Debt Collection and Management Services – for managing and recovering debts owed by the Client to Verifo;
- Professional Services Providers – this includes legal advisors, auditors, IT service providers, and any third parties necessary for Us to provide Services.
- When transferring Personal data to third countries or international organisations, We ensure that the necessary safeguards, such as European Commission-approved Standard Contractual Clauses, are in place to protect Your data. You may request additional details on these safeguards by contacting Us via email [email protected].
- In all cases, We make reasonable efforts to ensure that, in compliance with the requirements of the Law, the Personal data of Our Clients, Representatives and/or beneficiaries are not lost or used illegally.
- We guarantee that any data transfers outside the European Economic Area (EEA) will only be made under appropriate safeguards such as an adequacy decision or the implementation of binding corporate rules, standard contractual clauses, or other mechanisms recognised by the GDPR to ensure the protection of Personal data.
- Notification about changes in Our Services
- Verifo must notify You of changes in Services and terms by law. These notifications are not considered marketing, and You cannot opt out. Your contact data will be processed until the end of Our business relationship.
- Dispute Settlement
- You can contact Us via email [email protected] or phone (it is available on Our websites) for Service inquiries, reporting unauthorized payments, or other requests. When You do so, We may process Your identity data, contact data, and device data, record phone calls and written communication.
- If You are a Client of Verifo, Your data is processed to fulfil contractual obligations, otherwise Your data is processed based on Your consent. Phone and email data are processed for legal compliance and dispute prevention purposes. Phone data is retained for 18 (eighteen) months, while email data is stored for 8 (eight) years after the termination of the business relationship or the last communication with You.
- Before initiating a formal dispute, We encourage You to first contact Verifo, so We can address Your complaint and resolve it cooperatively if valid. If You are not satisfied with Our response, You may escalate the matter to the relevant authority as per Our Complaints Policy.
- However, if complaint cannot be resolved cooperatively, for dispute settlement purposes We may collect and process identity data, contact data, KYC data, as well as other data provided in Your claim and its supplements, according to the legal requirements.
- Debt Recovery
- In the event that You incur a debt with Us, We may process Your Personal data, including identity data, contact information, payment history, Service details, and debt-related information. This process is carried out based on Verifo’s legitimate interest in managing and recovering debts.
- By agreeing to Our terms, You acknowledge that if You fail to meet Your obligations to Us, We have the right to provide Your data to companies handling joint debtor data files, with prior notice to You.
-
IV. YOUR RIGHTS
- Regarding Your Personal data, You are entitled to the following rights under applicable laws:
- The right to access Your Personal data and information on how it is processed. You have the right to request confirmation from Verifo about whether Your Personal data is being processed, as well as the right to access the Personal data that is being processed and other related information.
- The right to rectify incorrect, inaccurate, or incomplete data. If You believe that the information Verifo processes is incorrect or inaccurate, You have the right to request that this information is updated, corrected, or completed.
- Right of Erasure (the right to be forgotten). The right of erasure of Personal data concerning You if there is no convincing reason for Us continuing to process it. Please be advised that We may not always be able to comply with Your request of erasure for specific legal reasons which will be notified to You, if applicable, at the time of Your request. Please note that Under GDPR Article 17(3)(b), legal requirements take precedence over the right to be forgotten. From an AML perspective, the EU’s 4th AML Directive (4AMLD) introduced the requirement that both customer due diligence and transaction records be retained for a minimum of a set number of years after the end of the customer relationship and as a financial institution Verifo will retain Your data, in line with AML regulations, for a minimum of 8 (eight) years. In this context, the right to be forgotten would only be enforceable after this period had ended.
- The right to request the restriction of processing of Your Personal data. In certain cases defined by the applicable legislation (e.g., if Personal data is processed unlawfully or if You contest the accuracy of the data), You have the right to request that Verifo restrict the processing of Your Personal data.
- The right to request the transfer of Your Personal data to another data controller. You have the right to receive the data that Verifo processes based on Your consent or a contract, and that is processed by automated means, in a structured and commonly used format. You may also request that this data be transferred directly to another data controller.
- The right to object to the processing of Your Personal data if such processing is based on legitimate interests. If Verifo processes Your Personal data on the basis of its legitimate interests, You have the right to object to this processing, except in cases where there are legal grounds for the processing (e.g., if it is necessary for the establishment, exercise, or defense of legal claims).
- The right to withdraw consent for data processing at any time (if the processing is based on Your consent). If Your Personal data is being processed based on Your consent, You have the right to withdraw that consent at any time. Once You withdraw Your consent, the data processing based on that consent will stop.
- The right to complain to the supervisory authority. If You believe that Your rights related to the protection of Personal data are violated, You have the right to lodge a complaint with the State Data Protection Inspectorate. However, We encourage You to contact Verifo first to find an appropriate and effective solution to the issue.
- To expedite requests and prevent misuse, Verifo may ask for proof of identity when processing requests to exercise Your rights.
- Please note that these rights are implemented according to the applicable legislation. You can find more information about Your rights and the conditions for their implementation on the State Data Protection Inspectorate website at ada.lt.
- To exercise Your rights or if You have any questions about the protection of Your Personal data, please contact Verifo using the contact details provided in this Policy. We recommend submitting Your request in writing (via email: [email protected]) to ensure a detailed and appropriate response.
- Regarding Your Personal data, You are entitled to the following rights under applicable laws:
-
V. RESPONSIBILITIES
- The Client has a responsibility to provide Us accurate and complete Personal data and promptly inform Us of any changes to that data;
- Verifo is not responsible for any damages incurred by the Client or third parties if the Client provides incorrect or incomplete Personal data or fails to inform Us of relevant updates. We will not be liable for damages resulting from inaccurate or incomplete data provided by the Client. In such case the Client is liable for any damages suffered by Us or other users due to incorrect information provided. This includes situations where other users enter into agreements with the Client based on inaccurate information. If a breach occurs due to third-party processors’ actions, they will share responsibility under GDPR regulations.
- We cannot fully guarantee uninterrupted, error-free operation of the website or mobile application, nor complete protection from viruses or other harmful elements. The Client is advised that any content accessed or downloaded from the Our website is done at their own discretion and risk, and they are solely responsible for any harm to their computer system.
- If the Client is a registered user of the website/mobile application, they assume all risks and responsibility for third-party actions conducted through their login credentials and agree to fulfil any obligations arising from such actions, except where Verifo has failed to meet its own obligations. The Client is responsible for any harm resulting from unauthorized access via their login credentials. We will bear responsibility only if unauthorized access occurs due to Our negligence.
-
VI. DATA PROTECTION PRINCIPLES
- Verifo ensures compliance with the following essential data protection principles:
- The Personal data of the Client is collected for specified purposes (purpose limitation principle);
- The Personal data of the Client is processed in a lawful, fair, and transparent manner (lawfulness, fairness, and transparency principle);
- The Personal data of the Client should be adequate, relevant, and limited to what is necessary to achieve the processing purposes (data minimisation principle). Personal data must be accurate and, where necessary, updated; all reasonable measures must be taken to ensure that inaccurate data, considering the purposes of processing, is promptly deleted or corrected (accuracy principle);
- The Personal data of the Client is retained no longer than necessary for the processing purposes and in compliance with legal requirements (storage limitation principle);
- Personal data of the Client will be retained for no longer than necessary for processing purposes, and specific retention periods have been defined by Us, based on applicable legal regulations, such as retaining Personal data for 8 (eight) years after the termination of a contract (storage limitation principle);
- The Personal data of the Client must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing, and accidental loss, destruction, or damage, using appropriate technical or organisational measures (integrity and confidentiality principle);
- Verifo is responsible for adhering to these principles (5.1.1. – 5.1.7.) and must be able to demonstrate compliance (accountability principle).
- This Policy apply to the relationships between Verifo and the Client who use, have used, have expressed an intention to use, or are otherwise associated with the Services provided by Us, including relationships with the Client established prior to the effective date of this Policy.
- Verifo ensures compliance with the following essential data protection principles:
-
VII. SECURITY OF PERSONAL DATA
- The organizational and technical measures implemented by Verifo ensure a level of security that is appropriate for the nature of the data managed and the risks associated with its processing. This includes, but is not limited to, the measures outlined in this section.
- Verifo implements technical and software safeguards, including information systems and database management, workstation monitoring, operating system protection, user access monitoring, antivirus protection, and others.
- We regularly review and update its security practices to mitigate any potential risks related to Personal data processing, ensuring that any risks identified are adequately addressed.
- We apply administrative security measures, including secure document and data processing practices and employee training.
- Employees are authorised to collect, process, transmit, store, destroy, or otherwise use Personal data only in performing their direct work duties and in compliance with legal requirements.
- Employees are bound by a confidentiality principle, keeping any Personal data they access in the course of their duties confidential unless such data is publicly accessible under applicable laws or regulations.
- Employee access to Personal data is limited to the extent necessary to perform their duties.
- Employees who process Personal data automatically or whose computers have access to areas of the local network where Personal data is stored are secured with passwords. Passwords are updated periodically (at least every 3 (three) months) or in cases where circumstances warrant it (e.g., staff changes, threat of a data breach, suspicion of password disclosure to unauthorized persons, etc.). Only the employee working on a specific computer may know their password. Data processing rights are terminated when the employment or other contract ends, or when Verifo revokes the employee’s data processing designation.
- Logs of individuals authorised to process Personal data and their database access records are maintained.
- Personal data on portable computers, if used outside Our internal data transmission network, is secured using appropriate safeguards, reflecting the risks associated with data processing. Personal data accessed via portable computers or remote systems is protected by multi-factor authentication (MFA) and encrypted connections to ensure data security outside Our internal network.
- Backups of Personal data are created and stored separately from the active database, with data recovery from backups if needed.
- Employees must immediately notify Verifo’s management of any security breaches, signs of criminal activity, or ineffective security measures they observe. We will assess the breach risk, implement remedial measures, and inform relevant authorities and affected data subjects without undue delay, as per GDPR Articles 33 and 34.
- After assessing data breach risk factors, the degree of impact, harm, and consequences of a breach, Verifo decides on the measures needed to address the breach and its consequences and informs the relevant parties, following appropriate internal procedures.
- Security is ensured for premises where Personal data is stored (e.g., entry is limited to authorised individuals, and premises are equipped with security alarms).
Updated: 2025-04-28