• 🔥 Accept Bizum payments in your physical and online store.
More information
Contact
Login
  • 🔥 Acepta pagos por Bizum en tu tienda física y online.
Contacto
Login

INFORMATION IN COMPLIANCE WITH PERSONAL DATA PROTECTION REGULATIONS

The Management / Governing Body of Sipay Plus, SL (hereinafter, the data controller), assumes the utmost responsibility and commitment to the establishment, implementation and maintenance of this Data Protection Policy, guaranteeing the continuous improvement of the data controller with the aim of achieving excellence in relation to compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU L 119/1, 04-05-2016), and with Spanish legislation on the protection of personal data (Organic Law, specific sectoral legislation and its implementing regulations).

The Data Protection Policy is based on the principle of proactive responsibility, according to which the data controller is responsible for compliance with the regulatory and jurisprudential framework that governs said Policy, and is able to demonstrate this to the competent supervisory authorities.

In this regard, the data controller shall be governed by the following principles, which should serve as a guide and framework for all its staff in the processing of personal data:

  • Data protection by design: the controller shall implement, both when determining the means of processing and during the processing itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement the principles of data protection, such as data minimization, and integrate the necessary safeguards into the processing.
  • Data protection by default: the controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data that is necessary for each of the specific purposes of the processing are processed.
  • Data protection throughout the information lifecycle: measures that guarantee the protection of personal data will be applicable throughout the entire information lifecycle.
  • Lawfulness, fairness and transparency: personal data will be processed lawfully, fairly and transparently in relation to the data subject.
  • Purpose limitation: Personal data will be collected for specified, explicit and legitimate purposes and will not be further processed in a manner incompatible with those purposes.
  • Data minimization: personal data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy: Personal data shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without delay.
  • Limitation of the retention period: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality: Personal data will be processed in such a manner as to ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical or organizational measures.
  • Information and training: one of the keys to ensuring the protection of personal data is the training and information provided to staff involved in its processing. Throughout the information lifecycle, all staff with access to the data will be properly trained and informed about their obligations regarding compliance with data protection regulations.

The Data Protection Policy of Sipay Plus, SL (hereinafter also SIPAY) is communicated to all personnel of the data controller and made available to all interested parties.

Consequently, this Data Protection Policy involves all personnel of the data controller, who must know and accept it, considering it as their own, with each member being responsible for applying it and verifying the data protection rules applicable to their activity, as well as identifying and contributing the opportunities for improvement that they consider appropriate with the aim of achieving excellence in relation to its compliance.

This Policy will be reviewed by the Management / Governing Body of SIPAY, as many times as deemed necessary, to ensure that it complies, at all times, with current regulations on the protection of personal data.

In Europe and in Spain there are rules to respect your fundamental right to the protection of your personal data and which generate obligations that our entity is legally obligated to comply with.

Therefore, it is very important for us that you fully understand what we will do with the personal data you provide through the contact form available on our website.

We want to be transparent and respect your right to control your data, using simple language and clear options that will allow you to decide what we do with your personal information.

Please, if you have any questions after reading this information, do not hesitate to ask us.

Thank you very much for your collaboration.

Who are we?

The entity responsible for processing your personal data is Sipay Plus, SL (hereinafter, “SIPAY”):

Our name: Sipay Plus, SL.

Our VAT number: B60462314

Our main activity: Payment methods

Our address: Calle San Rafael 1, Portal 2, 2ºC, 28108, Alcobendas, Madrid.

Our contact phone number: 914841028

Our contact email address: administracion@sipay.es

Our website: www.sipay.es

Our Data Protection Officer, whom you can contact for any questions regarding the processing of your personal data through the following channels:

Postal address: Calle San Rafael 1, Portal 2-2ºC, 28108 Alcobendas – Madrid.

Email: dpo@sipay.es

For your trust and security, we inform you that we are an entity registered in the following Commercial Registry /Public Registry: Registered in the Commercial Registry of Madrid, Volume 26686, Section 8, Folio 196, Page No. M480942, Entry 7

The person responsible for this website practices a regulated profession, for which we provide the following information: José Luis Nevado Martínez.

We are at your service, please do not hesitate to contact us.

What regulations do we comply with?

SIPAY will process personal data in accordance with applicable European Union or national legislation, including Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); and any other applicable data protection regulations (collectively, the “Data Protection Regulations”). In particular, SIPAY will implement appropriate technical and organizational measures to ensure an appropriate level of security for personal data.

How do we collect your data through the web?

The data we process at SIPAY has been obtained from you, through the various forms you complete while browsing the website or completed in some other format within SIPAY’s activities; through the sending of an email inquiry or through telephone communication.

If the personal data provided belongs to a third party, you guarantee that you have informed said third party of this Personal Data Protection Policy and have obtained their authorization to provide their data to SIPAY for the purposes indicated below.

Additionally, we inform you of the possible processing of your social media data through the corporate profiles in which SIPAY maintains a profile available, all based on the terms and conditions established in each social network.

We collect your personal information on this website through:

  • The SIPAY website contact form.
  • The SIPAY Employment website form.
  • The SIPAY newsletter subscription form.
  • The use of Cookies.
  • The Whistleblowing Channel Form.
  • When you exercise any of your data protection rights with us.

In the following section, we specify information regarding the data processing we may carry out as a result of collecting data in any of our forms, the personal data collected, the purpose of the processing, and the legal basis for processing this data.

What will we use your data for? What is the legal basis for this processing?

Specifically, SIPAY, in its capacity as Data Controller, collects personal data from its users through the various forms contained on the website, for the following purposes and legal basis for processing:

COLLECTED
PERSONAL DATA FORMPURPOSES OF PROCESSING LEGAL BASIS
“CONTACT” WEB FORM Identifying data (name and surname), contact data (email and telephone number) and data related to the organization you work for (company and website).
  • Respond to requests related to the services offered by SIPAY.
Consent.
“EMPLOYMENT” WEB APPLICATION FORM

Identifying information (name and surname) and contact information (email and telephone number) and any additional information that the user enters in the “Cover letter” field.

Resume.

  • Staff selection.
Consent.
Newsletter Identifying information (name and surname) and contact information (email and telephone number)
  • If you have consented by filling out the form, we may send you commercial and courtesy communications related to the services offered by SIPAY via telephone, regular mail, fax, email or equivalent electronic means of communication, including the receipt of our monthly newsletter.
For the receipt of commercial and courtesy communications related to the services offered by our organization, the legal basis is the consent you have given us by checking the corresponding box. If you have not checked it or if you withdraw your consent, we will not send you these communications.
“Join the partner program” form: Identifying data (name and surname) and contact data (email and telephone number) and any additional data that the user enters in the field “What do you want to receive information about?”
  • Respond to requests related to the relationship with SIPAY Partners.
Consent.
dpo@sipay.es Identifying data (name and surname), contact data (email address) and ID/NIF (by providing a photocopy to verify the identity of the applicant).
  • To address the exercise of users’ data protection rights.

Compliance with a legal obligation.

Legitimate interest: SIPAY may transmit your information to other related organizations for administrative management purposes.

IP and location cookies
  • Manage website functionalities, as well as analyze user preferences.
Express consent of the user (which can be given by ticking the corresponding box in the first layer of information about cookies on the website).
Reporting Channel: Identifiers and, depending on what the user indicates in the text of the report or attached files, may contain other types of data
  • Processing, investigating, and/or resolving complaints, including anonymous complaints, will be handled exclusively by those responsible for managing the Whistleblowing Channel at Sipay Plus, SL, in accordance with the Whistleblowing Channel Management Procedure, primarily the Compliance Committee. The utmost confidentiality and secure handling are guaranteed, with appropriate security measures in place for the type of data and the risk involved.
Compliance with a legal obligation in accordance with the provisions of Law 2/2023, of February 20, regulating the protection of persons who report regulatory infringements and the fight against corruption and the legitimate interest of Sipay Plus, SL to comply with the requirements in the area of corporate risk prevention, especially those related to the possible criminal liability of the legal entity, under Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights.

In cases other than those mentioned above, the processing will be based on the possible development of pre-contractual or contractual measures linked to our services.

SIPAY carries out the following processing of personal data not related to the website, duly registered in its Register of Processing Activities:

  • Management of personnel selection processes.
  • Management of labor relations, management of interns, training, payroll management, Social Security and Tax Administration, advances and expenses, travel and transportation, work-life balance and equality, registration of delivery and return of corporate devices, internal chat, registration of employee access/exit at the facilities, registrations, terminations and work accidents, management of insurance and policies, flexible compensation plan, prevention of occupational risks, medical check-ups, corporate events, video surveillance at the facilities.
  • Establishment and/or management (execution, development and control) of a contractual relationship with the legal entity or with the self-employed, clients and partners (potential or current).
  • Claims management (litigation).
  • Management of the prevention of money laundering in operations and companies of the group subject to said regulations and for the prevention of criminal risks.

We may be required to use and retain personal information for legal and compliance purposes, such as the prevention, detection or investigation of crime, loss or fraud prevention, or to comply with internal and external audit requirements, our information security objectives, crime prevention, or regulatory compliance inherent to our business, which may involve the processing of:

  • under applicable law;
  • to respond to requests from courts, security agencies, regulatory bodies and other authorities; and
  • to protect other rights of the user or other people.

Your commitment is to the accuracy of the information you provide.

He declares that the personal data he provides to SIPAY at any stage of the use of this website is truthful.

As a user, you should know that you are solely responsible for any damage or harm, direct or indirect, that may be caused to SIPAY as the owner of this website or to a third party if you complete any form with false data or data of third parties without their prior consent, causing deception, damage or harm.

In order for us to keep your data accurate and up-to-date, we ask the User to inform us of any changes that may occur in the data provided.

If you contact SIPAY for services provided to an entity (legal person) or as an individual entrepreneur, the processing of your personal data will be based on SIPAY’s legitimate interest (Article 19 LOPD).

If you contact SIPAY because you have used our payment methods when purchasing goods or contracting services from a SIPAY client business, the processing will be based on the contract with that business, which originated the payment.

In cases other than those mentioned above, the processing will be based on the possible development of pre-contractual or contractual measures linked to our services and our website.

In the case of personnel selection, the processing will be based on the development of pre-contractual measures, including the signing of the contract, for the possible hiring of the candidate, in addition to compliance with legal obligations for the registration of the employee.

For the receipt of commercial and courtesy communications related to the services offered by our organization, the legal basis is the consent you have given us by checking the corresponding box. If you have not checked it or if you withdraw your consent, we will not send you these communications.

Who will know the information we’re asking for?

Your personal data may be accessed by service providers that SIPAY contracts or may contract and who have the status of data processor, in order to fulfill the purposes described in the previous point.

Likewise, your information will be shared with public or private entities to whom we are legally obligated to provide your personal data. For example, tax law requires us to provide the Tax Agency with certain information about financial transactions exceeding a specific amount.

In the case of data entered in the Whistleblowing Channel Form, this data may be transferred to third parties only in the case of external legal advisors and judicial bodies and the State Security Forces and Corps or administrative authority, when necessary and in compliance with a legal obligation (Law 2/2023, of February 20, regulating the protection of persons who report regulatory infringements and the fight against corruption) and the legitimate interest of SIPAY to comply with the requirements in the area of corporate risk prevention, especially those related to the possible criminal liability of the legal entity (Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights).

In some cases, SIPAY uses third-party tools and services to manage some of the services offered on this website. These services are owned by third parties located within the European Economic Area.

SIPAY strives to use secure tools whose servers are preferably located in Spain, or failing that, in a member state of the European Union, or that comply with European law according to the guidelines and recommendations of the Spanish Data Protection Agency, the European Commission and the relevant community agreements on international data transfer.

In the event that international data transfer is necessary, acceptance of this Privacy Policy in each of the forms in which you may provide your data will mean that as a user you expressly consent to the aforementioned transfer.

How will we protect your data?

In order to protect users’ personal data, SIPAY ensures, and controls its data processors, the application of appropriate technical and organizational measures, taking into account the scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of the data subjects, striving to ensure the confidentiality, integrity, availability and resilience of the processing systems and services.

Our information security policies and procedures are regularly reviewed and updated to meet the needs of our business, technological changes, and regulatory requirements.

We will protect your data with effective security measures based on the risks involved in the use of your information.

To this end, our organization has approved a Data Protection Policy and undergoes annual controls and audits to verify the security of data processing.

Will we send your data to other countries?

SIPAY stores the personal data processed within Spain. Therefore, we do not transfer the data processed through this website internationally.

How long will we keep your data?

In general, personal data will be kept until you revoke your consent to the processing or request its deletion, as well as the time necessary to comply with the legal obligations that SIPAY must observe.

  • If you have given your consent to receive commercial communications, we will keep your contact details until you withdraw it, unsubscribing from this processing.
  • If you have contacted us as a user of our payment methods, during the term of the contract between you and the merchant, as well as the statutory limitation periods for legally applicable obligations.
  • If you have contacted us as a natural person who provides services in an entity with which SIPAY maintains a contractual relationship or may have an interest in it, while you perform that function or position and during the statutory limitation periods of legally applicable obligations.
  • If you have contacted us as an individual applying for one of the job offers, your personal data related to the processing for personnel selection will be kept for a period of one year.
  • In all other cases, SIPAY will retain the personal data related to your inquiry until it is answered and will subsequently delete it within 1 month.
  • In the case of data entered in the Complaints Channel Form, it will be kept in the Complaints Channel system for the time necessary to decide on the appropriateness of initiating an investigation into the reported facts and, where appropriate, while the investigation and resolution process of the complaints submitted is carried out, and always for a maximum period of 3 months from the date of entry of the complaint.

In any case, we inform you that SIPAY has established internal data cleansing policies designed to control the retention periods of personal data held by it, so these may be cancelled when they are no longer necessary and/or appropriate for the purpose for which they were collected.

What are your data protection rights?

You may exercise your rights of access, rectification, cancellation, opposition, limitation of processing and data portability, as well as withdraw the consent given free of charge, in the cases and with the scope established by the applicable regulations at any given time.

Before processing a request to exercise any of the aforementioned rights, SIPAY must verify the identity of the interested party and the legitimacy of their request or claim. SIPAY will respond to such request or claim in accordance with the provisions of the Data Protection Regulations.

To exercise these rights, you may contact SIPAY in writing by mail at the following address:

Sipay Plus, SL

C/ San Rafael 1, portal 2-2ºC,

28108 – Alcobendas, Madrid.

Or alternatively to dpo@sipay.es

If you have any questions regarding the exercise of your rights, you can contact the Data Protection Officer through the contact channels listed in the answer to the first question.

Can I withdraw my consent if I change my mind at a later time?

You can withdraw your consent by submitting a request through the website or by checking the box corresponding to the sending of commercial communications if you change your mind about it, by sending a new form through the website in which your withdrawal of consent is indicated.

If you believe your rights have been violated, where can you file a complaint?

If you believe that your rights have been disregarded by our organization, you may file a complaint with the Spanish Data Protection Agency through one of the following means:

  • Electronic headquarters: www.agpd.es
  • Postal address: Spanish Data Protection Agency, C/ Jorge Juan, 6, 28001-Madrid
  • By telephone: Tel. 901 100 099 Tel. 91 266 35 17

Filing a complaint with the Spanish Data Protection Agency is free of charge and does not require the assistance of a lawyer or solicitor.

Will we create profiles based on your personal data?

SIPAY does not perform any profiling action on the data you provide us in order to respond to the query made through the website.

What happens if I act on behalf of another individual?

If you have provided information about other individuals, you, as the applicant, are responsible for informing those individuals of the content of this information regarding personal data protection within a maximum period of one month. You release SIPAY from any liability that may arise from failure to comply with the provisions of this paragraph.

Minors

Anyone of any age is authorized to browse this website.

However, to provide their personal data, the user must be over 14 years of age. Otherwise, it must be provided by their father, mother, or legal guardian.

SIPAY reserves the right to request a copy of your ID or equivalent document that proves your legitimacy in case of having well-founded suspicions about the user’s minority.

SIPAY recommends that parents, representatives or legal guardians supervise or take appropriate precautions while minors are browsing the internet, as well as establish filters on the information and content that minors can or cannot access.

What happens if the security of personal data is compromised?

In the event of a breach of personal data security, unless it is unlikely that such a breach constitutes a risk to the rights and freedoms of natural persons, SIPAY will notify the Spanish Data Protection Agency within 72 hours of becoming aware of the incident, describing the nature of the breach, the possible consequences that may arise and the measures taken or proposed to remedy the security breach; and, if possible, will make known the categories and approximate number of data subjects and data affected.

SIPAY will also notify interested parties as soon as possible when a personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, describing the possible consequences and the measures taken or proposed to remedy the security breach.

What security measures do we apply to protect personal data?

In order to protect users’ personal data, SIPAY ensures, both independently and through its data processors, the application of appropriate technical and organizational measures, taking into account the scope, context, and purposes of the processing, as well as the varying risks to the rights and freedoms of the data subjects, and strives to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services.

In particular, SIPAY has implemented an encryption and authentication protocol that ensures that the personal data consulted by us is transmitted to our servers through a secure SSL connection (“Secure-Socket-Layer”) SHA-256 with RSA encryption (1.2.840.113549.1.1.11), in order to protect them from third parties.

The Information Security Policy (PCIDSS) and procedures are reviewed and updated regularly to meet business needs, technological changes, and regulatory requirements:

  • Technical and organizational measures are implemented to store and transfer information securely, in order to protect it against attacks or accidental loss, as well as against unauthorized access, use, destruction or disclosure.
  • SIPAY has a privacy and security risk assessment strategy, as well as a disaster recovery and business continuity plan designed to safeguard the continuity of our services and to protect your staff.
  • Appropriate restrictions are applied to access to personal information.
  • SIPAY requires its suppliers responsible for processing to provide accreditation of the security controls appropriate to the processing of personal data that they carry out in each case.
  • SIPAY requires its employees and contractors to be continuously trained in the area of information security, as well as in other relevant areas, since they have access to personal information and other sensitive data.

SIPAY states that it is able to act quickly and effectively to restore the availability and access to personal data in the event of identifying a physical or technical incident, maintaining an internal Incident Log, as well as the necessary backup management and control activities that guarantee the recovery of information in the event of a security incident.

SIPAY states that it stores users’ personal data on secure servers, protected against the most common types of attacks and located in Spain.

Use of cookies

SIPAY uses cookies (small information files that are downloaded to a user’s device or terminal equipment when accessing a website, in order to store data that can be updated and retrieved by the party responsible for their installation) and other tracking technologies to carry out certain functions that are considered essential for the correct operation and display of the website and, in some cases, to store and manage user preferences, enable content and collect analytical and usage data.

To obtain these analyses, this website may automatically store certain information in server logs through the use of cookies or other mechanisms (such as local or browser session storage) that collect non-personal usage and browsing data related to the User’s use of this website. These logs typically include information such as browser type, browser language, date and time of access request, URL, device model, operating system version, and data about the mobile network used to access and browse this website.

What happens if I act on behalf of another individual?

If you have provided information about other individuals, you, as the applicant, are responsible for informing those individuals of the content of this information regarding personal data protection within a maximum period of one month. You release SIPAY from any liability that may arise from failure to comply with the provisions of this paragraph.

What is the applicable law and jurisdiction?

SIPAY is based in Spain, therefore the content of this Data Protection Policy has been drafted in accordance with Spanish legislation and applicable European Union regulations.

The User accepts that any claims or complaints against SIPAY arising from or related to the use of this website and more specifically to the processing of their personal data will be resolved by the court of competent jurisdiction located in Madrid (Spain).

If SIPAY has to make any kind of claim, it will do so before the competent court of the user’s domicile or in Madrid (Spain) if it is a legal entity or non-consumer professional.

If the User accesses this site from a location outside of Spain, they are responsible for complying with all applicable local and international laws.

We reserve the right to modify the Data Protection Policy

SIPAY may modify this Data Protection Policy at any time, taking into account the evolution of this website and the content offered on it, if it deems it necessary, either for legal reasons, for technical reasons, or due to changes in the nature or arrangement of the website, without any obligation to notify or inform the User of said modifications, it being understood that their publication on the website itself is sufficient.

Any modification will take effect for users who access this website after the modification is made. Continued use of this site after the publication of any changes will be considered acceptance of those changes. Therefore, the last update date will always be published at the end of this Data Protection Policy, and any changes made will be effective from that date.

If the User does not agree with the updates to our Data Protection Policy, they may opt out by not entering their personal data in the website’s contact forms or by exercising their rights as specified above. If their rights are not respected, they may file a complaint with the supervisory authority.

Last update approved by DPO: 15/04/2024